Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2328 Security Bulletin: IBM Algo One is affected by multiple Open Source Tomcat security vulnerabilities reported in May 2014 X-Force Report (CVE-2014-0096, CVE-2014-0099, CVE-2014-0119). 9 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Algo One Publisher: IBM Operating System: AIX Linux variants Solaris Windows Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0119 CVE-2014-0099 CVE-2014-0096 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21692277 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM Algo One is affected by multiple Open Source Tomcat security vulnerabilities reported in May 2014 X-Force Report (CVE-2014-0096, CVE-2014-0099, CVE-2014-0119). Document information More support for: Algo One Algo Core Software version: 4.7, 4.7.1, 4.8, 4.9, 4.9.1, 5.0 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 1692277 Modified date: 2014-12-08 Security Bulletin Summary These security vulnerabilities exist in components of IBM Algo One, namely Counterparty Credit Risk (CCR), Algo Risk Application (ARA), and Algo One Core. See Vulnerability Details for CVE IDs. Vulnerability Details CVE-2014-0096 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93367 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may compromise the confidentiality of information, but does not compromise the availability of the system, and the integrity of data. CVE-2014-0099 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93369 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may compromise the confidentiality of information, but does not compromise the availability of the system, and the integrity of data. CVE-2014-0119 CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93368 CVSS Environmental Score*: Undefined CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system, but may compromise the integrity of data. Affected Products and Versions CCR v. 5.0.0 Algo One Versions 4.7.0 through 5.0.0 ARA Versions 2.5.8 through 5.0.0 The following versions of the affected products are not being patched and users currently on one of the versions specified below are advised to upgrade to a patched version: ARA 2.4.0.1 ARA 2.4.1 ARA 2.4.2 ARA 2.5.0 ARA 2.5.1 ARA 2.5.2 ARA 2.5.3 ARA 2.5.4 ARA 2.5.5 ARA 2.5.5.2 ARA 2.5.6 ARA 2.5.7.1 ARA 2.5.7.2 CCR 4.9.0 CCR Drop 13.7 CCR Drop 13.5 Remediation/Fixes A fix has been created for each affected version of the named product. Download and install the appropriate fix as soon as practicable. Fixes and installation instructions are provided at the URLs listed below: Patch Number Download URL CCR 500-103 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.5-Algo-OneCCR-if0103:0&includeSupersedes=0&source=fc&login=true ARA 258-004 (applicable to ARA v 2.5.8) http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=2.5.8.6-Algo-OneARA-if0006:0&includeSupersedes=0&source=fc&login=true ARA 491-018 (applicable to ARA v 4.9.1.1-10) http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.1-Algo-OneARA-if0018:0&includeSupersedes=0&source=fc&login=true ARA 491-017 (applicable to ARA v 4.9.1.0-9) http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.1.0-Algo-OneARA-if0009:0&includeSupersedes=0&source=fc&login=true ARA 500-078 (applicable to ARA v 5.0.0.3-3) http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.3-Algo-OneARA-if0003:0&includeSupersedes=0&source=fc&login=true ARA 500-089 (applicable to ARA v 5.0.0.5) http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.5-Algo-OneARA-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true Algo One Core 500-071 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-if0071:0&includeSupersedes=0&source=fc&login=true Algo One Core 490-130 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.9.0.0-Algo-One-if0130:0&includeSupersedes=0&source=fc&login=true Algo One Core 480-067 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.8.0.0-Algo-One-if0067:0&includeSupersedes=0&source=fc&login=true Algo One Core 471-306 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.1.0-Algo-One-if0306:0&includeSupersedes=0&source=fc&login=true Algo One Core 470-298 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=4.7.0.0-Algo-One-if0298:0&includeSupersedes=0&source=fc&login=true Workarounds and Mitigations None known, apply fixes. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 08 December 2014:Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVIZPvBLndAQH1ShLAQJrMw/+MtnGFbHL0SXlGOCXHi0hxHRlQyiV/Auw DPL3QTQtqeVoK4kvklOw2+yeZNV+s0gIe8iMq/ua7dtRDitG9x7ZXYJ/j9LZKfrO SZLnykl4fEc48DACXjpQZJxdztA1XtqAGv9BrRiWyBIe1v5jHMjb7HzJW38ZajRn x7fZzHoq/vgTJp18iywHttoquuwLh6OdIsDh6wIgyYmxBxp5kGUbIHgDNpQxYPDM joNVHA3v7OVq6oz6d6nUHLfnVZoJlK/S3KVoFcPZBwNYlQmaW6+Y+u3iozO2kWcv HkB9GTQ56d82M0kGG0E87kmvkJwXFU981349dBO9JrfiD4Wkzf2sOaejI8NqW1ib XlCIHBVvTy8QX4ACY+/Ctli2ez3o66bR+OyZobB4X4YZpKXRNnXjP14taPHYvQky 9uH2C+NZYYlFEoSlkTCPX8BtqT+fmL8L1LsBabAajbjub8z0IBrguoGewk+2TRRu rNActjk5qppgsNfO6Z4oIJIOP0gsguol3DwqRVVBP3YyNEOaC9g7DCzODYiMK2EW xD1ccQrj54YCi9STmGZW72QctAGNFmYdD/DiLTia6W2m+cPhWZY8LZ2CxvBRESwq EjY76HFkxpy0z2+QLLfD2GkycVn3pCBDBMOkDpXTL9oQ9W1zMDo5u8S36OoI7F9N uDhwCW33UFU= =qrsy -----END PGP SIGNATURE-----