Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1589 Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling Secure Proxy (CVE-2014-0878, CVE-2014-0107, CVE-2014-0453, CVE-2014-4263, CVE-2014-4244) and Multiple Security Vulnerabilities found in IBM Sterling External Authentication Server (CVE-2014-0878, CVE-2014-0107, CVE-2014-0453, CVE-2014-4263, CVE-2014-4244) 15 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Sterling Secure Proxy IBM Sterling External Authentication Server Publisher: IBM Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4263 CVE-2014-4244 CVE-2014-0878 CVE-2014-0453 CVE-2014-0107 Reference: ASB-2014.0077 ESB-2014.1585 ESB-2014.1501 ESB-2014.1489 ESB-2014.1407 ESB-2014.1307 ESB-2014.1016 ESB-2014.0398 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21682526 http://www-01.ibm.com/support/docview.wss?uid=swg21682529 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling Secure Proxy (CVE-2014-0878, CVE-2014-0107, CVE-2014-0453, CVE-2014-4263, CVE-2014-4244) Security Bulletin Document information More support for: Sterling Secure Proxy Software version: All Operating system(s): All Reference #: 1682526 Modified date: 2014-09-12 Summary IBM Sterling Secure Proxy is shipped with IBM Runtime Environment, Java Technology Edition (the “IBM JREâ€Â), that is based on an Oracle Java Runtime Environment (JRE). Oracle has released the April and July 2014 critical patch updates (CPU) that contain security vulnerability fixes for the JRE. The IBM JRE has been updated to incorporate these fixes and security fixes that are specific to the IBM JRE. IBM Sterling Secure Proxy is affected by four of the vulnerabilities in the CPU'S, and the IBM JRE shipped with IBM Sterling Secure Proxy has been updated to remediate the vulnerabilities. The Apache Xalan-Java package used in IBM Sterling Secure Proxy has also been updated to correct a vulnerability. Vulnerability Details CVE ID: CVE-2014-0878 DESCRIPTION: A vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers potentially allows an attacker to predict the output of the random number generator under certain circumstances. CVSS: CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE ID: CVE-2014-0107 DESCRIPTION: Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker could exploit this vulnerability to bypass the secure processing feature to load arbitrary restricted classes. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92023 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:P/A:N) CVE ID: CVE-2014-0453 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVE ID: CVE-2014-4263 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVE ID: CVE-2014-4244 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94605 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) Affected Products and Versions IBM Sterling Secure Proxy 3.4.1 through 3.4.1.8 iFix03 IBM Sterling Secure Proxy 3.4.0 through 3.4.0.6 iFix04 IBM Sterling Secure Proxy 3.3.01 through 3.3.01 Patch 23 iFix04 Remediation/Fixes Fix* VRMF APAR How to acquire fix iFix 4 3.4.1.8 N/A http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.1.8&platform=All&function=all iFix 5 3.4.0.6 N/A http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+Secure+Proxy&release=3.4.0&platform=All&function=all iFix 5 3.3.1.23 N/A https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US Workarounds and Mitigations None. References Complete CVSS Guide On-line Calculator V2 IBM Java SDK security bulletin for April 2014 IBM Java SDK security bulletin for July 2014 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 12 September 2014: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ---------------------------------------------------------------------- Security Bulletin: Multiple Security Vulnerabilities found in IBM Sterling External Authentication Server (CVE-2014-0878, CVE-2014-0107, CVE-2014-0453, CVE-2014-4263, CVE-2014-4244) Security Bulletin Document information More support for: Sterling Secure Proxy External Authentication Server Software version: All Operating system(s): All Reference #: 1682529 Modified date: 2014-09-12 Summary IBM Sterling External Authentication Server is shipped with IBM Runtime Environment, Java Technology Edition (the “IBM JREâ€Â), that is based on an Oracle Java Runtime Environment (JRE). Oracle has released the April and July 2014 critical patch updates (CPU) that contain security vulnerability fixes for the JRE. The IBM JRE has been updated to incorporate these fixes and security fixes that are specific to the IBM JRE. IBM Sterling External Authentication Server is affected by four of the vulnerabilities in the CPUs, and the IBM JRE shipped with IBM Sterling External Authentication Server has been updated to remediate the vulnerabilities. The Apache Xalan-Java package used in IBM Sterling External Authentication Server has also been updated to correct a vulnerability. Vulnerability Details CVE ID: CVE-2014-0878 DESCRIPTION: A vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers potentially allows an attacker to predict the output of the random number generator under certain circumstances. CVSS: CVSS Base Score: 5.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91084 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE ID: CVE-2014-0107 DESCRIPTION: Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker could exploit this vulnerability to bypass the secure processing feature to load arbitrary restricted classes. CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92023 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:P/A:N) CVE ID: CVE-2014-0453 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92490 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVE ID: CVE-2014-4263 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94606 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVE ID: CVE-2014-4244 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit related to the Security component has partial confidentiality impact, partial integrity impact, and no availability impact. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94605 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) Affected Products and Versions IBM Sterling External Authentication Server 2.4.1 through 2.4.1.8 iFix 02 IBM Sterling External Authentication Server 2.4.0 through 2.4.0.4 iFix 04 IBM Sterling External Authentication Server 2.3.01 through 2.3.01 Patch 11 iFix 03 Remediation/Fixes Apply the applicable maintenance packages listed in the table below: Fix* VRMF APAR How to acquire fix iFix 3 2.4.1.8 N/A http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=2.4.1.8&platform=All&function=all iFix 5 2.4.0.4 N/A http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=2.4.0&platform=All&function=all iFix 4 2.3.1.11 N/A https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US Workarounds and Mitigations None References Complete CVSS Guide On-line Calculator V2 IBM Java SDK security bulletin for April 2014 IBM Java SDK security bulletin for July 2014 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 12 September 2014: Original version published. *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVBZ55BLndAQH1ShLAQJQHBAApeC79aoiEurymMgmJV8WJt4acbz5fQXP GN5XviooTXjqgRwzed8zwhOzYWT3ODtooCO6IcSQA8QfohOcaGUXaee/t61fSh4o c91N1RKTmZdlF4s26J0SwAATpvRhbWQFxiBrAiM/byg+izyn0Q5mTWgPKnx2Iyfi MDnkx9mBmmJYbMhHJKMOXbH0TrBDLFqrT0D7scH7z3WK32FhOYfHgVvdh20V2yyG fsZ+/YtX14tDK5mG8Wea+FC15KUYpLFHSNdh5dICoVVNfVn3lustETvz1pjn1p45 KObQMdyHln4Uaj69n6ZJhs0N/HqKX8zi8C9CpLVBodZ6YlijtgbRr3YjF1XpGBsR M4IAZHbXWMo92cSftoPjnrrBXcgdXYNYZdLJEMnUtsu7FjAWMptRMfTlyOhn3ydr 8Cid6lkOF5Y7R0BOzMGCOQhy+EIzNf4OmxK5IDxc0p7mAtZPLC0eTaaxuEk6pLB0 +eiPwd6cRUzAIHL2oquz+dW4E9QC7dpSTi2MIjA5Hj218XcwkuwPCF0NS/3KD8R3 P4cbrgAX3GnTiyArgW/LvuHL9KcZ5F/3Zu33oNtG+xKZyQO8vjPxNYUdQqm5UnIK Mb01N7X6Lk9r95OGw5N7hBVAZhdY8kJtxo9cCcPQl11vj/Dv5G/z6wW3N7qVJD6g cISjeOJrPvs= =Hx2+ -----END PGP SIGNATURE-----