-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2242
  Multiple vulnerabilities have been identified in IBM Emptoris Strategic
         Supply Management, and IBM Emptoris Services Procurement
                              26 August 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Emptoris Strategic Supply Management Platform
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4000 CVE-2015-2808 CVE-2015-1916
                   CVE-2015-0488 CVE-2015-0478 

Reference:         ASB-2015.0070
                   ASB-2015.0066
                   ASB-2015.0035
                   ESB-2015.2221
                   ESB-2015.0948.2
                   ESB-2015.0947.2
                   ESB-2015.0946.2
                   ESB-2015.0944.2

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21964808
   http://www-01.ibm.com/support/docview.wss?uid=swg21964810

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM
Emptoris Strategic Supply Management, and IBM Emptoris Services Procurement.

Document information

More support for:
Emptoris Strategic Supply Management Platform

Software version:
Version Independent

Operating system(s):
Platform Independent

Reference #:
1964808

Modified date:
2015-08-24

Security Bulletin

Summary

The IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services
Procurement products are affected by multiple security vulnerabilities that
exist in IBM SDK Java Technology Edition that is shipped with IBM WebSphere
Application Server. The security bulletin includes issues disclosed as
part of the IBM Java SDK updates in April 2015.

Vulnerability Details

CVEID: CVE-2015-0488
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Jrockit
related to the JSSE component could allow a remote attacker to cause a
denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102336 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0478
DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit
related to the JCE component could allow a remote attacker to obtain
sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102339 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol,
could allow a remote attacker to obtain sensitive information. An attacker
could exploit this vulnerability to remotely expose account credentials
without requiring an active man-in-the-middle session. Successful
exploitation could allow an attacker to retrieve credit card data or
other sensitive information. This vulnerability is commonly referred to as
"Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101851 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1916
DESCRIPTION: Server applications which use the IBM Java Secure Socket
Extension provider to accept SSL/TLS connections are vulnerable to a denial
of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/101995 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4000
DESCRIPTION: The TLS protocol could allow a remote attacker to obtain
sensitive information, caused by the failure to properly convey a DHE_EXPORT
ciphersuite choice. An attacker could exploit this vulnerability using
man-in-the-middle techniques to force a downgrade to 512-bit export-grade
cipher. Successful exploitation could allow an attacker to recover the
session key as well as modify the contents of the traffic. This vulnerability
is commonly referred to as "Logjam".
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Emptoris Contract Management 9.5 through 10.0.4
IBM Emptoris Program Management 10.0.0 through 10.0.4
IBM Emptoris Sourcing 10.0.0 through 10.0.4
IBM Emptoris Spend Analysis 10.0.0 through 10.0.4
IBM Emptoris Supplier Lifecycle Management 9.5 through 10.0.4
IBM Emptoris Strategic Supply Management 10.0.0 through 10.0.4
IBM Emptoris Services Procurement 10.0.0

Remediation/Fixes

An interim fix has been issued for the IBM WebSphere Application Server
(WAS) which will upgrade the IBM Java Development Kit to a version which
is not susceptible to this vulnerability. Customers running any of the
IBM Emptoris products listed above should apply the interim fix to all
IBM WebSphere Application Server installations that are used to run IBM
Emptoris applications. See Multiple vulnerabilities in IBM® Java SDK
affect WebSphere Application Server April 2015 CPU and Vulnerability
with Diffie-Hellman ciphers may affect IBM WebSphere Application Server
(CVE-2015-4000) for more details on upgrade versions.

Select the appropriate WebSphere Application Server fix based on the version
being used for IBM Emptoris product version. The following table lists the
IBM Emptoris application versions along with the corresponding required
version of IBM WebSphere Application Server and a link to the corresponding
fix version where further installation instructions are provided.

Emptoris Product Version	WAS Version	Interim Fix
9.5.x.x				8.0.0.x		PI39866 and PI42777
10.0.0.x, 10.0.1.x		8.5.0.x		PI39865 and PI42776
10.0.2.x ,			8.5.5.x		PI39865 and PI42776
10.0.4

Workarounds and Mitigations

The Logjam attack which affects TLS connections using the Diffie-Hellman
(DH) key exchange protocol may affect some configurations in WebSphere
Application Server.

WebSphere Application Server has DH and DHE ciphers included in the "STRONG"
or "HIGH", "MEDIUM" and "LOW" cipher lists. They also could be present
if you have a "CUSTOM" list of ciphers. You will need to remove any of
the ciphers that begin with SSL_* or TLS_* that also have DH or DHE in
the Name from your WebSphere Application Server SSL configuration. This
does NOT include ciphers that have ECDH or ECDHE in the Name, these are
elliptic curve Diffie-Hellman ciphers and they are not affected.

For Full profile:

    You can view the administrative console page to change the settings,
    click Security > SSL certificate and key management. Under Configuration
    settings, click Manage endpoint security configurations > {Inbound
    | Outbound} > ssl_configuration. Under Related items, click SSL
    configurations > . Click on {SSL_configuration_name }. Under Additional
    Properties, click Quality of protection (QoP) settings.
    For more information on the Quality of Protection
    settings refer to the Knowledge Center:
    http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_sslqualprotect.html?lang=en


OR

    You can use the ModifySSLConfig of the SSLConfigCommands for the
    Admin Task
    For more information on the ModifySSLConfig
    commands refer to the Knowledge Center:
    http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rxml_atsslconfig.html?lang=en

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v2 Guide
On-line Calculator v2
Security Bulletin: Multiple vulnerabilities in current releases of the
IBM SDK, Java Technology Edition

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

24 Aug 2015 - Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information

Segment		Product
Commerce	Emptoris Contract Management
Commerce	Emptoris Program Management
Commerce	Emptoris Services Procurement
Commerce	Emptoris Sourcing
Commerce	Emptoris Spend Analysis
Commerce	Emptoris Strategic Supply Management Platform
Commerce	Emptoris Supplier Lifecycle Management

- -------------------------------------------------------------------------------
Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere
Application Server affect IBM Emptoris Strategic Supply Management and
IBM Emptoris Services Procurement (CVE-2015-1927, CVE-2015-1946)

Document information

More support for:
Emptoris Strategic Supply Management Platform

Software version:
Version Independent

Operating system(s):
Platform Independent
Reference #:
1964810

Modified date:
2015-08-24

Security Bulletin

Summary

IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services
Procurement products are affected by multiple security vulnerabilities
that exist in IBM WebSphere Application Server that is shipped with the
Emptoris products.

Vulnerability Details

CVEID: CVE-2015-1927
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker
to gain elevated privileges on the system, caused by an application not
having the correct serveServletsbyClassname setting. By a developer not
setting the correct property, an attacker could exploit this vulnerability
to gain unauthorized access.
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/102872 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-1946
DESCRIPTION: IBM WebSphere Application Server 8.5 and IBM WebSphere Virtual
Enterprise 7.0 could allow a local attacker to gain elevated privileges
on the system cause by the user roles not being handled properly.
CVSS Base Score: 4.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/103201 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)

Affected Products and Versions

IBM Emptoris Contract Management 9.5 through 10.0.4
IBM Emptoris Program Management 10.0.0 through 10.0.4
IBM Emptoris Sourcing 10.0.0 through 10.0.4
IBM Emptoris Spend Analysis 10.0.0 through 10.0.4
IBM Emptoris Supplier Lifecycle Management 9.5 through 10.0.4
IBM Emptoris Strategic Supply Management 10.0.0 through 10.0.4
IBM Emptoris Services Procurement 10.0.0

Remediation/Fixes

An interim fix has been issued for the IBM WebSphere Application Server
which will apply the needed patches to upgrade to a version which is
not susceptible to this vulnerability. Customers running any of the IBM
Emptoris products listed above should apply the interim fix to all IBM
WebSphere Application Server installations that are used to run IBM Emptoris
applications. See Security Bulletin: Multiple Security Vulnerabilities
fixed in IBM WebSphere Application Server 8.5.5.6 for more details on
upgrade versions.

Select the appropriate WebSphere Application Server (WAS) fix based on the
version being used for IBM Emptoris product version. The following table
lists the IBM Emptoris application versions along with the corresponding
required version of IBM WebSphere Application Server and a link to the
corresponding fix version where further installation instructions are
provided.


Emptoris Product 	WAS		Interim Fix
Version			Version	
	
9.5.x.x			8.0.0.x		CVE-2015-1927: PI31622
					CVE-2015-1946: Not affected

10.0.0.x, 10.0.1.x	8.5.0.x		CVE-2015-1927: PI31622
					CVE-2015-1946: PI35180

10.0.2.x		8.5.5.x		CVE-2015-1927: PI31622
10.0.4					CVE-2015-1946: PI35180

Additional note for CVE-2015-1927:
Please Note:This APAR has changed the default value of the WebContainer
custom property com.ibm.ws.webcontainer.disallowServeServletsByClassname
from false to true so that no security threat could occur. Prior to this
change, it was up to the developer to remember to change the custom property
to true before deploying into production.

Property Name: com.ibm.ws.webcontainer.disallowServeServletsByClassname
Description: If set to true, disallows the use of
serveServletsByClassnameEnabled at the application server level, overriding
any setting of serveServletsByClassnameEnabled at the application level. This
property affects all applications.
Values: true(default)/false

If you need to change the value please refer to the the following technote
for instructions on enabling WebContainer custom properties:

Full Profile: http://www.ibm.com/support/docview.wss?uid=swg21284395

Workarounds and Mitigations

Workaround:

CVE-2015-1927:
Set the custom property
com.ibm.ws.webcontainer.disallowServeServletsByClassName to true

Mitigation: None
Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v2 Guide
On-line Calculator v2
Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere
Application Server 8.5.5.6

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

24 Aug 2015 - Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information

Segment		Product

Commerce	Emptoris Contract Management
Commerce	Emptoris Program Management
Commerce	Emptoris Services Procurement
Commerce	Emptoris Sourcing
Commerce	Emptoris Spend Analysis
Commerce	Emptoris Strategic Supply Management Platform
Commerce	Emptoris Supplier Lifecycle Management

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVd07Fn6ZAP0PgtI9AQKV3xAAuAPN39dTCu1jX73NegNWw2Rhu+RREaQr
4OcksHIv1ksCDoJENBlqfIPUNUMQ41yYxp47m5J10twdyN2An0Eq8Th3lOfekrli
r1bv+SOorU0naAO0DffPpBEoIYi1W/tvWUUsdGSE0Xu2qlPNRa5EIwPknqoRlOPi
YvfQIEb3Un/Hkg6t1yo+VoRP4lHg6+eH+z7gJUZr9MpK5tgbcYwKh/++yyDQN6xD
dhuutmK/kc/ktpJa9+dgkAc7YEugs0ezaoxJES+9vqUQIBEiQWjcoDSRISP6G2SY
lvNhSuS/fNZMN1vWzECO7l419DFNQgCKOinl/05gmwpErG10GdiT1YQENFGCe0Q5
TcqcYVe1pd6m03hNj3aJ3NmTcJ4inynh2juStJDaoWcKF7rL9z7LS9h6MsX1jJhB
E3xsnaw3oAXPAWKNsVwn2GiTMIO3CRTSqbtqwOK1Sbr1qqDNDJ3L8dmEHYPh8xhv
nzG9Pv3N9o9gtaXRaSK2kXcICnTQTqW2qMh1moYyxj2Pc1D9nbQyk2+iVTno0F/f
pgabhbbTOrO6uMdyyY6vSMMV503E96uTtsX1tXQFM1G4JDFYbBmqHRC/L0Uxw7M5
4LWZgLBaQmpxDzP9pqQCDxPNG2neFsP9rocOX/WYFXrrQ5x5efa/Dtq4MnKqYeHk
uLVr+Z0AGGs=
=Og4P
-----END PGP SIGNATURE-----