-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1523
Security Bulletin: Vulnerability in InstallAnywhere affects IBM InfoSphere
              Change Data Capture installers (CVE-2016-4560)
                               15 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere products
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4560  

Reference:         ESB-2016.1393
                   ESB-2016.1265

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21984310

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerability in InstallAnywhere affects IBM InfoSphere
Change Data Capture installers (CVE-2016-4560)

Security Bulletin

Document information

More support for:

InfoSphere Data Replication

Software version:

10.1.0, 10.2.0, 10.2.1, 11.3.0, 11.3.3

Operating system(s):

Windows

Reference #:

1984310

Modified date:

2016-06-14

Summary

InstallAnywhere generates installation executables on Microsoft Windows which
are vulnerable to a DLL-planting exploit affecting the Change Data Capture
(CDC) components within the IBM InfoSphere Data Replication and IBM
InfoSphere Change Data Delivery families of products.

Vulnerability Details

CVEID:

CVE-2016-4560

DESCRIPTION:

Flexera InstallAnywhere could allow a local attacker to gain elevated
privileges on the system, caused by an untrusted search path. An attacker
could exploit this vulnerability using a Trojan horse DLL in the current
working directory of a setup-launcher executable file to gain elevated
privileges on the system.

CVSS Base Score: 7.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/113016

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected CDC components include:

Management Console

Access Server (Windows-based version only)

Replication engines (agents) for the following databases (Windows-based
versions only)

. DB2 for Linux, Unix and Windows

. Datastage

. Event Server

. Hadoop

. Informix

. FlexRep

. Microsoft SQL Server

. Netezza

. Oracle

. PureScale Data System for Analytics

. Sybase

. Teradata

The following product levels are affected:

IBM InfoSphere Data Replication                                                               11.3.3, 11.3.0, 10.2.1, 10.2.0, 10.1.3, 10.1.2, 10.1.1, 10.1.0
IBM InfoSphere Data Replication for Apache Hadoop                                             11.3.3
IBM InfoSphere Data Replication for Database Migration                                        11.3.3, 10.2.1, 10.1.3
IBM InfoSphere Data Replication for Netezza                                                   11.3.0, 10.2.1, 10.2.0, 10.1.3, 10.1.2
IBM InfoSphere Data Replication for Non-Production Environments                               10.2.1, 10.1.3
IBM InfoSphere Change Data Delivery                                                           11.3.3, 11.3.0, 10.2.1, 10.2.0
IBM InfoSphere Change Data Delivery for Information Server                                    11.3.3, 11.3.0, 10.2.1, 10.2.0
IBM InfoSphere Change Data Delivery for Netezza                                               11.3.0, 10.2.1, 10.2.0
IBM InfoSphere Change Data Delivery for PureData System for Analytics                         11.3.3, 11.3.0
IBM InfoSphere Change Data Delivery for Information Server for PureData System for Analytics  11.3.3
IBM InfoSphere Change Data Delivery for Information Server for Netezza                        11.3.0, 10.2.1, 10.2.0

Remediation/Fixes

If you are not installing a fixed level of the CDC code, then the
installation package is vulnerable to this security issue and you must use
the workaround provided below to prevent being exposed to the vulnerability.

The fixed level of the CDC code can be obtained for the version 11.3.3 builds
at the following location

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information%2BManagement&product=ibm/Information+Management/IBM+InfoSphere+Data+Replication&release=11.3.3&platform=Windows&function=all&source=fc

The fix is available as of the following build numbers

IBM InfoSphere Data Replication Management Console for Windows 11.3.3.3 Build
5467, or greater

IBM InfoSphere Data Replication Access Server for Windows 11.3.3.3 Build
5467, or greater

IBM InfoSphere Data Replication CDC for all Windows agents 11.3.3.3 Build 43,
or greater

Workarounds and Mitigations

Install the product or refresh pack by running the installation wizard or by
running a silent installation:

To avoid an untrusted search path vulnerability where users could gain
increased privileges, perform the following additional steps:

1. Clear all contents (files, sub-directories and etc.,) of your default
download directory/location, if any.

2. Create a new secure directory in temporary location (such that elevated
privileges are required to access this directory).

3. Copy/extract the setup.exe executable to the secure directory created in
Step 2.

4. Launch the executable from the secure directory and wait until it
completes.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

1 June 2016: Original version published

14 June 2016: Document updated to include fix information in the
"Remediation/Fixes" section.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV2IiAIx+lLeg9Ub1AQhHvg//cqkTaGXG5p/TIfjO0CaOvBFE4z/BAC/r
XDGwRO4Z84mUX4WoW5z3xSOXkoA66s7Qve5M+Vso1zZFk970pOrj2JNppcjNQSgY
QzaLygxhdkzN0jwxOsqZijZTkxUsjvQTsky6ocJ9nzUAuh371Hv0IegS5wdvyDMp
hWfcDiYZfsgGq+dsr38xxF9621X3sSqiHHSEzYoMljkoPkKDMoh8Tcx69xfw8ZO1
z9rHhXm80Nv2yReaWzDFfESQWBEsK1kWEeFiVqvBOJhJSaEvQEdeeYpUr7RtVmG1
X210Gf55LDXcxdFEpWS39LJ2KFKM60aIn7qrNE8EBjJDFgXyhap3DHQVvkxJVfiy
xoOA99YsOTZWxgJsz2WsSYK2SoXUA0t4llL9XOnghENCbZfreopDbIew0Q1clNsG
z9I+L3x5UnbyygLOVo5lln2CtFavFtd60tPYYapZ6vj+qWgtRNXN4AlY1L/jLQ2x
lLUxP3Wb9H1i4ZHJWYJ/6snf8zBWuM/C/4dMtITbsyTl1UEJzmQhXlyKl7EA9tuC
NSC7ab5/aPEIYDiyBOzH/4BuznArROPPFwTaAZhfKtSesfWLajtNcysWrkH4k7ZW
1HMoksbfIiZhgrzxSUDPTa1z7hRxIVEvxaxSJlNX326YVaw3WhrOwlP8eCBzMaZb
LpqCxUKgvaY=
=emo4
-----END PGP SIGNATURE-----