Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2821 Security Bulletin: A security vulnerability has been identified in IBM Cognos Business Intelligence, IBM DB2, IBM SPSS Modeler, IBM SPSS Collaboration and Deployment Services, IBM WebSphere Application Server, WebSphere Message Broker and IBM Integration 12 November 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cognos Business Intelligence IBM DB2 IBM SPSS Modeler IBM SPSS Collaboration and Deployment Services IBM WebSphere Application Server IBM WebSphere Message Broker IBM Integration Bus Publisher: IBM Operating System: Windows Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-4000 CVE-2015-2808 CVE-2015-2638 CVE-2015-2637 CVE-2015-2632 CVE-2015-2625 CVE-2015-2619 CVE-2015-2613 CVE-2015-1931 CVE-2015-1793 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2015-0488 CVE-2015-0478 Reference: ESB-2015.2631 ESB-2015.1955 ESB-2015.1917 ESB-2015.1846 ESB-2015.1569 ESB-2015.1535 ESB-2015.1432 ESB-2015.0993 ESB-2015.0944.2 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21970582 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: A security vulnerability has been identified in IBM Cognos Business Intelligence, IBM DB2, IBM SPSS Modeler, IBM SPSS Collaboration and Deployment Services, IBM WebSphere Application Server, WebSphere Message Broker and IBM Integration Security Bulletin Document information More support for: Predictive Maintenance and Quality Software version: 2.0, 2.5, 2.5.1 Operating system(s): Linux, Windows Reference #: 1970582 Modified date: 2015-11-11 Summary IBM Cognos Business Intelligence, IBM DB2, IBM SPSS Modeler, IBM SPSS Collaboration and Deployment Services, IBM WebSphere Application Server, WebSphere Message Broker and IBM Integration Bus are shipped as components of IBM Predictive Maintenance and Quality. Information about a security vulnerability affecting IBM Cognos Business Intelligence, IBM DB2, IBM SPSS Modeler, IBM SPSS Collaboration and Deployment Services, IBM WebSphere Application Server, WebSphere Message Broker and IBM Integration Bus has been published in their respective security bulletins. Vulnerability Details Please consult the Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Cognos Business Intelligence for vulnerability details and information about fixes. Please consult the Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM DB2 for vulnerability details and information about fixes. Please consult the Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SPSS Modeler for vulnerability details and information about fixes. Please consult the Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM SPSS Collaboration and Deployment Services for vulnerability details and information about fixes Please consult the Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server details and information about fixes Please consult the Security Bulletin: Multiple vulnerabilities in IBM Java Runtime including Logjam affect WebSphere Message Broker and IBM Integration Bus. This bulletin also addresses vulnerabilities in OpenSSL including Logjam and alternate chains certificate forgery details and information about fixes Affected Products and Versions Principal Product and Version(s) Affected Supporting Product and Version IBM Predictive Maintenance and Quality 2.0 IBM Cognos Business Intelligence 10.2.1.1 IBM DB2 10.1.0.3 IBM SPSS Modeler 16.0 IBM SPSS Collaboration and Deployment Services 6.0 IBM WebSphere Application Server ND 8.5.5.0 WebSphere Message Broker 7.5.0.2 IBM Integration Bus 9.0.0.1 IBM Predictive Maintenance and Quality 2.5 IBM Cognos Business Intelligence 10.2.2 IBM DB2 10.5.0.4 IBM SPSS Modeler 16.0.0.1 IBM SPSS Collaboration and Deployment Services 6.0.0.1 IBM WebSphere Application Server ND 8.5.5.3 WebSphere Message Broker 7.5.0.4 IBM Integration Bus 9.0.0.2 IBM Predictive Maintenance and Quality 2.5.1 IBM Cognos Business Intelligence 10.2.2 IBM DB2 10.5.0.4 IBM SPSS Modeler 17.0 IBM SPSS Collaboration and Deployment Services 7.0 IBM WebSphere Application Server ND 8.5.5.3 WebSphere Message Broker 7.5.0.4 IBM Integration Bus 9.0.0.2 References Complete CVSS v2 Guide On-line Calculator v2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History November 11, 2015: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVkQcVX6ZAP0PgtI9AQLpMg/+Im1JMs2HciJorpkHDERsdHfsftm2B679 5teNt8qwUueHBgxJEQN+q7vGoMB3C5AbvJrSCzAS6G6QSW4Z5gGgsnEPQ77o871e 6ZvvdZdsVdcNwkuIm6Nl0HgOPqrtWKA6Viwb/1Kt12g5VdnV6SrqXOJrqwDo66Q5 +MUUYZu9ZZvloSWmv3mfgoOTJcFHX6WKuzcGGLM16SqaYDD3I758fxNOwOsUm5sX IqCyiCAqfkzlPQwOPXgiMwMBtXDjmIH88Apm8ukf4Xmo7aQi1DaUrvyp0SAXSwVz +YSBnTPF33Gp8nIBV+ilFVK5O91JpcOLPuqeH6E8+vv1a/tZGCM7oYFJdGNb3jKk XaNr+HDy267++AN/VLY9s4/jWrEdrT3FM8qc6Qx2TyxF1aSPGM/NshD9lV1Dzq7m Fk54hmycWQQVGQf+srovrfslibkqxEm40xV/cCgGFykX4+WVxkRHairyd+aqyLnw oAXEQ/Cm1gU4ocH5e4YdWh8sjaTujJQbU9Uz3hgtosbW85a+ZLOxzEnpBcDABBPi PMF4rgHO1S5WTASRLfJGJLGtdSEgVOn55VzZ+U0k9mZNP1LyE+F3Ae6h3mJLVz97 1fDXMwdIqmZNlFoDNXzdaZoPr1AeBHCBskYTgrLZ20kXa4KAxy5NoLTAuriJKgPl 4yPUTQvqlVY= =7qg3 -----END PGP SIGNATURE-----