Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2107
Security Bulletin: IBM Security Access Manager for Web and
Mobile are affected by vulnerabilities in NTP
8 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Access Manager for Web
IBM Security Access Manager for Mobile
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2518 CVE-2016-1550 CVE-2016-1548
CVE-2016-1547 CVE-2015-7979 CVE-2015-7978
CVE-2015-7977 CVE-2015-7703 CVE-2015-7702
CVE-2015-7701 CVE-2015-7692 CVE-2015-7691
CVE-2015-5219 CVE-2015-5195 CVE-2015-5194
Reference: ASB-2016.0074
ASB-2016.0046
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21989542
http://www.ibm.com/support/docview.wss?uid=swg21989544
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Security Access Manager for Web is affected by
vulnerabilities in NTP
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Web
Software version:
7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 9.0,
9.0.0.1, 9.0.1
Operating system(s):
Appliance
Reference #:
1989542
Modified date:
2016-09-07
Summary
The Network Time Protocol (NTP) is used to synchronize a computer's time with
another referenced time source. These packages include the ntpd service which
continuously adjusts system time and utilities used to query and configure
the ntpd service.
IBM Security Access Manager for Web is affected by vulnerabilities in NTP.
Vulnerability Details
CVEID:
CVE-2015-5194
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an uninitialized variable when processing malicious commands. By sending a
specially crafted logconfig configuration command, a remote authenticated
attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107595
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5195
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
the referencing of a statistics type that was not enabled during compilation
by the statistics or filegen configuration command. By sending a specially
crafted config command with statistics type, a remote authenticated attacker
could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107596
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5219
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in the sntp program. By sending specially crafted NTP packets, a
remote attacker from within the local network could exploit this
vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107597
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7691
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107449
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7692
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107450
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7701
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to obtain sensitive
information, caused by a memory leak in CRYPTO_ASSOC. An attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107444
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2015-7702
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107451
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7703
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to traverse
directories on the system, caused by the failure to enforce local access only
of the "pidfile" and "driftfile" configuration directives. An attacker could
exploit this vulnerability to view arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107445
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:
CVE-2015-7977
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by a NULL pointer
dereference. By sending a specially crafted ntpdc reslist command, an
attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110022
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7978
DESCRIPTION:
NTP is vulnerable to a denial of service. By sending a specially crafted
reslist command, an attacker could exploit this vulnerability to consume all
available stack memory.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110023
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7979
DESCRIPTION:
NTP could allow a remote attacker to bypass security restrictions. By sending
specially crafted broadcast packets with bad authentication, an attacker
could exploit this vulnerability to cause the target broadcast client to tear
down the association with the broadcast server.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110024
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID:
CVE-2016-1547
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by the demobilization of a
preemptable client association. By sending specially crafted crypto NAK
packets, an attacker could exploit this vulnerability to cause a denial of
service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112739
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-1548
DESCRIPTION:
NTP could allow a remote attacker to bypass security restrictions, caused by
an error in the ntpd client. By changing the client from basic client/server
mode to interleaved symmetric mode, an attacker could exploit this
vulnerability to modify the time of the client or cause a denial of service.
CVSS Base Score: 7.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112740
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)
CVEID:
CVE-2016-1550
DESCRIPTION:
NTP could allow a local attacker to bypass security restrictions, caused by
the failure to use a constant-time memory comparison function when validating
the authentication digest on incoming packets. By sending a specially crafted
packet with an authentication payload, an attacker could exploit this
vulnerability to conduct a timing attack to compute the value of the valid
authentication digest.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112742
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:
CVE-2016-2518
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by an error when using a
specially crafted packet to create a peer association with hmode > 7. An
attacker could exploit this vulnerability to cause the MATCH_ASSOC() function
to trigger an out-of-bounds read.
CVSS Base Score: 2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112746
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Security Access Manager for Web 7.0 appliances
IBM Security Access Manager for Web 8.0, all firmware versions
IBM Security Access Manager 9.0, all firmware versions
Remediation/Fixes
IBM has provided patches for all affected versions. Follow the installation
instructions in the README files included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 (appliance) IV87108 Apply Interim Fix 26:
7.0.0-ISS-WGA-IF0026
IBM Security Access Manager for Web 8.0.0.0 - IV87124 1. For versions prior to 8.0.1.4, upgrade to 8.0.1.4:
8.0.1.4 8.0.1-ISS-WGA-FP0004
2. Apply 8.0.1.4 Interim Fix 2:
8.0.1.4-ISS-WGA-IF0002
IBM Security Access Manager 9.0 IV87153 1. For versions prior to 9.0.1.0, upgrade to 9.0.1.0:
IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
2. Apply 9.0.1.0 Interim Fix 4:
9.0.1.0-ISS-ISAM-IF0004
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
September 6, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---
Security Bulletin: IBM Security Access Manager for Mobile is affected by
vulnerabilities in NTP
Security Bulletin
Document information
More support for:
IBM Security Access Manager for Mobile
Software version:
8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2, 8.0.1.3,
8.0.1.4, 9.0, 9.0.0.1, 9.0.1
Operating system(s):
Platform Independent
Reference #:
1989544
Modified date:
2016-09-07
Summary
The Network Time Protocol (NTP) is used to synchronize a computer's time with
another referenced time source. These packages include the ntpd service which
continuously adjusts system time and utilities used to query and configure
the ntpd service.
IBM Security Access Manager for Mobile is affected by vulnerabilities in NTP.
Vulnerability Details
CVEID:
CVE-2015-5194
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an uninitialized variable when processing malicious commands. By sending a
specially crafted logconfig configuration command, a remote authenticated
attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107595
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5195
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
the referencing of a statistics type that was not enabled during compilation
by the statistics or filegen configuration command. By sending a specially
crafted config command with statistics type, a remote authenticated attacker
could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107596
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-5219
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in the sntp program. By sending specially crafted NTP packets, a
remote attacker from within the local network could exploit this
vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107597
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7691
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107449
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7692
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107450
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7701
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to obtain sensitive
information, caused by a memory leak in CRYPTO_ASSOC. An attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107444
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:
CVE-2015-7702
DESCRIPTION:
Network Time Protocol (NTP) is vulnerable to a denial of service, caused by
an error in ntp_crypto.c. An attacker could exploit this vulnerability using
a packet containing an extension field with an invalid value for the length
of its value field to cause ntpd to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107451
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7703
DESCRIPTION:
Network Time Protocol (NTP) could allow a remote attacker to traverse
directories on the system, caused by the failure to enforce local access only
of the "pidfile" and "driftfile" configuration directives. An attacker could
exploit this vulnerability to view arbitrary files on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/107445
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:
CVE-2015-7977
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by a NULL pointer
dereference. By sending a specially crafted ntpdc reslist command, an
attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110022
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7978
DESCRIPTION:
NTP is vulnerable to a denial of service. By sending a specially crafted
reslist command, an attacker could exploit this vulnerability to consume all
available stack memory.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110023
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2015-7979
DESCRIPTION:
NTP could allow a remote attacker to bypass security restrictions. By sending
specially crafted broadcast packets with bad authentication, an attacker
could exploit this vulnerability to cause the target broadcast client to tear
down the association with the broadcast server.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110024
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID:
CVE-2016-1547
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by the demobilization of a
preemptable client association. By sending specially crafted crypto NAK
packets, an attacker could exploit this vulnerability to cause a denial of
service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112739
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:
CVE-2016-1548
DESCRIPTION:
NTP could allow a remote attacker to bypass security restrictions, caused by
an error in the ntpd client. By changing the client from basic client/server
mode to interleaved symmetric mode, an attacker could exploit this
vulnerability to modify the time of the client or cause a denial of service.
CVSS Base Score: 7.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112740
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)
CVEID:
CVE-2016-1550
DESCRIPTION:
NTP could allow a local attacker to bypass security restrictions, caused by
the failure to use a constant-time memory comparison function when validating
the authentication digest on incoming packets. By sending a specially crafted
packet with an authentication payload, an attacker could exploit this
vulnerability to conduct a timing attack to compute the value of the valid
authentication digest.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112742
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:
CVE-2016-2518
DESCRIPTION:
NTP is vulnerable to a denial of service, caused by an error when using a
specially crafted packet to create a peer association with hmode > 7. An
attacker could exploit this vulnerability to cause the MATCH_ASSOC() function
to trigger an out-of-bounds read.
CVSS Base Score: 2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112746
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
IBM Security Access Manager for Mobile 8.0, all firmware versions
IBM Security Access Manager 9.0, all firmware versions
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.
Product VRMF APAR Remediation
IBM Security Access Manager for Mobile 8.0.0.0 - IV87150 1. For releases prior to 8.0.1.4, upgrade to 8.0.1.4:
8.0.1.4 8.0.1-ISS-ISAM-FP0004
2. Apply 8.0.1.4 Interim Fix 2:
8.0.1.4-ISS-ISAM-IF0002
IBM Security Access Manager 9.0 IV87153 1. For 9.0 environments, upgrade to 9.0.1.0:
IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
2. Apply 9.0.1.0 Interim Fix 4:
9.0.1.0-ISS-ISAM-IF0004
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
September 6, 2016: Original version published.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV9DuiIx+lLeg9Ub1AQhthQ/8DfGUX1iMU9QM1DrKfnitEt0zwhQq6uDz
7pIucxO8syrbQnHHxQGqffCLXp9njzPZs83F25E1hMhlS65y3PCHTwc74+cYeb+u
CtER0kdi+PATMzyKkG/TAwFTzUdMs/lcQV3jWyaijKPk3vqJJydbetNj38GH2olG
PzZl/TO+Gey0uBCiE/+RrGXncOtlINL6SXLzLiUy3lqi7MVtRGDKvBQWNBhaz75r
cC6qEi/+NN/6xLEQ9RrfynA2uee55rxVenp2Z0lhKC7FzVEKYPfNUABONXDH1Zd/
17KbNIZSaIS6/OWT+mITNHCzX+NdqiR2Afyd56xq09nKumgDj/eIpKgVmuOVS5uf
i7CPffCL2EfT9TZTqgXTCEG/vpcRI5YPUK8+DfXkyeoC6Kf3zEiSOsohQh4KvMdu
tOCw5irQwH7WMM8biYFLeT3s4Vik47gKkgbWSODH+tEk+K2i5LH65mN0luxJDHoU
EW2d/BfQNQ+2QSz16JMV4t/xbMIBJtRyDvmbpogzAvTEWx01UGTqvniBvjKvWeJh
0OKbQH8jptBrQv0vHtGHsZZKxZxCMEALs4GCfJI3p8z/QIMEoPF9jkpEBWF6Rg9K
xsgFuqRBtnb0xvQgb6kZIirKemc9IL/u2M5DMSnKciMO07cK1gEIOUWhFprpvO2z
sT3sDOPizJA=
=bDqR
-----END PGP SIGNATURE-----