copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0981 - [AIX] IBM PureData System: Multiple vulnerabilities

Date: 16 June 2014
References: ESB-2013.1355  ESB-2013.1372  ESB-2013.1547  ESB-2013.1816  ESB-2014.0093  ESB-2014.0209  ESB-2014.1466  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0981
   Multiple vulnerabilities have been identified in IBM PureData System
                               16 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM PureData System
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Root Compromise   -- Existing Account      
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0935 CVE-2014-0907 CVE-2013-6717
                   CVE-2013-4032  

Reference:         ESB-2014.0209
                   ESB-2014.0093
                   ESB-2013.1816
                   ESB-2013.1547
                   ESB-2013.1372
                   ESB-2013.1355

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21670960
   http://www-01.ibm.com/support/docview.wss?uid=swg21671953
   http://www-01.ibm.com/support/docview.wss?uid=swg21672880
   http://www-01.ibm.com/support/docview.wss?uid=swg21672874

Comment: This bulletin contains four (4) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: The IBM PureData System for Operational Analytics A1791
is affected by a local escalation of privilege vulnerability (CVE-2014-0935)

Security Bulletin

Document information

More support for:

PureData System for Operational Analytics
A1791

Software version:
1.0

Operating system(s):
AIX

Reference #:
1670960

Modified date:
2014-06-09

Summary

There is a vulnerability in the IBM PureData System for Operational
Analytics A1791 that could allow a local user to gain elevated privilege.

Vulnerability Details

CVE ID: CVE-2014-0935

DESCRIPTION:
An IBM PureData System for Operational Analytics A1791 security vulnerability
could allow a malicious user to gain elevated privileges during certain
events. This vulnerability can only be exploited by users through a local
system account login.

CVSS:
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92298 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:P)

Affected Products and Versions

IBM PureData System for Operational Analytics

Remediation/Fixes

For each affected component in the table, download the recommended fix,
and install using the link in the Installation instructions column.

For more information about IBM IDs, see the Help and FAQ.

Product				IBM PureData System for Operational Analytics
				A1791

Download Link		 	Refer to the Installation Instructions link 
				and follow the download instructions in
				the fix pack readme document.

Installation instructions	IBM PureData System for Operational Analytics
				A1791 Fix Pack 1.0.0.3 readme document

Contact IBM Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

June 9, 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

Security Bulletin: The IBM PureData System for Operational Analytics A1791
is affected by a local escalation of privilege vulnerability in IBM DB2
for Linux, Unix and Windows (CVE-2014-0907)

Security Bulletin

Document information
More support for:

PureData System for Operational Analytics
A1791

Software version:
1.0

Operating system(s):
AIX

Reference #:
1671953

Modified date:
2014-06-09

Summary

The IBM PureData System for Operational Analytics A1791 ships with IBM
DB2 Version 10.1. There is a vulnerability in IBM DB2 for Linux, Unix and
Windows that could allow a local user to gain elevated privilege.

Vulnerability Details

CVE ID: CVE-2014-0907

DESCRIPTION:
The IBM PureData System for Operational Analytics A1791 contains an IBM
DB2 security vulnerability which allows a malicious user to gain root
privilege. This vulnerability can only be exploited by users through a
local system account login.

CVSS:
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91869 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM PureData System for Operational Analytics A1791

Remediation/Fixes

For each affected component in the table, download the recommended fix,
and install using the link in the Installation instructions column.

For more information about IBM IDs, see the Help and FAQ.

Product			IBM PureData System for Operational Analytics A1791

Affected Component	DB2 V10.1 	

APAR			IC97737

Download Link		Refer to the Installation Instructions link and follow 
			the download instructions in the fix pack readme 
			document.

Installation 		IBM PureData System for Operational Analytics
instructions		A1791 Fix Pack 1.0.0.3 readme document

Contact IBM Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

June 9, 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

Security Bulletin: Executing a query with an OLAP specification on the IBM
PureData System for Operational Analytics A1791 causes the DB2 server to
terminate database connections (CVE-2013-6717)

Security Bulletin

Document information
More support for:

PureData System for Operational Analytics
A1791

Software version:
1.0

Operating system(s):
AIX

Reference #:
1672880

Modified date:
2014-06-09

Summary

A vulnerability in IBM DB2 could allow a remote, authenticated user to cause
a DB2 LUW server to terminate all connections to a database and deactivate
the database. This only affects the database which the user is connected to.

Vulnerability Details

CVE ID: CVE-2013-6717

DESCRIPTION:
The IBM PureData System for Operational Analytics A1791 ships with
DB2 10.1. There is a security vulnerability which could allow a remote,
authenticated user to exploit a vulnerability in the DB2 OLAP query engine
to cause the DB2 server instance to terminate all connections to a database
and deactivate the database. This only affects the database which the user is
connected to. The vulnerability does not shut down the DB2 server instance.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89116 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:N/A:P)

Affected Products and Versions

IBM PureData System for Operational Analytics A1791

Remediation/Fixes

For each affected component in the table, download the recommended fix,
and install using the link in the Installation instructions column.

For more information about IBM IDs, see the Help and FAQ.

Product			IBM PureData System for Operational Analytics A1791

Affected Component	DB2 V10.1

APAR			IC97737	

Download Link		Refer to the Installation Instructions link and follow
			the download instructions in the fix pack readme 
			document.
Installation		IBM PureData System for Operational Analytics A1791 
instructions		Fix Pack 1.0.0.3 readme document
			

Contact IBM Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

June 9, 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------
Security Bulletin: IBM PureData System for Operational Analytics A1791
is affected by a vulnerability in the IBM DB2 Fast Communications Manager
(CVE-2013-4032)

Security Bulletin

Document information

More support for:
PureData System for Operational Analytics
A1791

Software version:
1.0

Operating system(s):
AIX

Reference #:
1672874

Modified date:
2014-06-09

Summary

A vulnerability in IBM DB2 for Linux, UNIX, and Windows could allow arbitrary
data sent to the Fast Communications Manager (FCM) to cause server denial
of service. Only IBM PureData System for Operational Analytics systems
that ship with IBM DB2 Version 10.1 are vulnerable.

Vulnerability Details

CVE ID: CVE-2013-4032

DESCRIPTION:
There is a vulnerability in DB2 V10.1 that could allow an unauthenticated,
remote attacker to cause a denial of service. The vulnerability exists
in the Fast Communications Manager (FCM) which is used for communication
between different nodes in a partitioned database. For more information
about the security vulnerability, see: Security Bulletin: Denial of Service
Vulnerability in DB2 for Unix, Linux and Windows's Fast Communications
Manager (CVE-2013-4032).

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86092 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM PureData System for Operational Analytics A1791

Remediation/Fixes

For each affected component in the table, download the recommended fix,
and install using the link in the Installation instructions column.

For more information about IBM IDs, see the Help and FAQ.

Product			IBM PureData System for Operational Analytics A1791

Affected Component	DB2 V10.1

APAR			IC94434	

Download Link		Refer to the Installation Instructions link and follow
			the download instructions in the fix pack readme 
			document.

Installation		IBM PureData System for Operational Analytics A1791
instructions		Fix Pack 1.0.0.3 readme document

Contact IBM Support:
In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

June 9, 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU55CLRLndAQH1ShLAQLj9A/9HtwGQSxxomju9KvFTa1EaXocybi45vCo
96ac0S/5UdEFHwq3O4Py+vP8ptLGRm3apjO2gNlQANAzGrHTBD6YdljwzH3wElk2
vqQs1ssLSYVSa2A6fms7SkCMJwmw80l2KolYDAMq4mp7f7VTAK47RPD6uOCHxWTp
dB3jUEwLl69YxGD2I4DK5C8YHQK5SxIk4cn+spFXxMZ8IcmfOfzdptcB739pktl/
PaY5iaFdeeTInKiv2I+P/JfLR0NAXQv06Fg6ogCrnrXEoRK6wrwDBKsOAeZdjWHg
RSzg0Q3bkK4CNqQUChXwAGwVZ2hu7kYunZYIdeoM0FANkwLpZ/1BszcfAt+x1vZ2
g9CENNAQ+bv7nY1Ve8D8ld9gFpPU64QXNyS/Fhdz4sh/lf7T7l21BSI9Tg2vUfV8
p6NiWKI2lw7l74qYTJvuJ7QLEjmQNxGGZOjR8zYTmFxm/kIOT5FWL7rCmH/F3VQN
r1toAPrzY+8Uexl7TRkuaHDgZLOyDg9S7qN3MJlxy4JNAl5+j4OyNcYg2DjzmT3/
HTMQxH5e4EQ2XNahZUbh7pqJUOV6BNPrF+iT8+qdwQyJGRdVGqFeTcET7pdCHIWS
iuxMnCNeFN6HZl3R3HqCyIKHqkkXw2lyJdv0suLA7/z5BUnr5gMaRkodkk2CJiiG
llTKYTErG1o=
=b0D1
-----END PGP SIGNATURE-----