-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2260
           Multiple vulnerabilities have been identified in IBM
                Security Access Manager for Web and Mobile
                             27 September 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Access Manager for Web
                   IBM Security Access Manager for Mobile
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4449 CVE-2016-4448 CVE-2016-4447
                   CVE-2016-3705 CVE-2016-3627 CVE-2016-3028
                   CVE-2016-3025  

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21991110
   http://www.ibm.com/support/docview.wss?uid=swg21990317
   http://www.ibm.com/support/docview.wss?uid=swg21991107
   http://www.ibm.com/support/docview.wss?uid=swg21990318
   http://www.ibm.com/support/docview.wss?uid=swg21990837
   http://www.ibm.com/support/docview.wss?uid=swg21990838

Comment: This bulletin contains six (6) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: A command injection vulnerability has been identified
in IBM Security Access Manager for Mobile appliances (CVE-2016-3028)

Document information

More support for: IBM Security Access Manager for Mobile

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1,
8.0.1.2, 8.0.1.3, 8.0.1.4, 9.0, 9.0.0.1, 9.0.1

Operating system(s): Platform Independent

Reference #: 1991110

Modified date: 2016-09-26

Security Bulletin

Summary

A vulnerability in IBM Security Access Manager for Mobile could allow
a remote authenticated attacker with admin access to the LMI to execute
arbitrary commands on the system.

Vulnerability Details

CVEID: CVE-2016-3028
DESCRIPTION: IBM Security Access Manager for Mobile could allow a remote
authenticated attacker with admin access to the LMI to execute arbitrary
commands on the system. By sending a specially-crafted request, an attacker
could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114479 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Security Access Manager for Mobile 8.0, all firmware versions
IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.

Product					VRMF			APAR		Remediation
IBM Security Access Manager for Mobile	8.0.0.0 - 8.0.1.4	IV89290		1. For releases prior to 8.0.1.4, upgrade to 8.0.1.4:
										8.0.1-ISS-ISAM-FP0004
										2. Apply 8.0.1.4 Interim Fix 3:
										8.0.1.4-ISS-ISAM-IF0003
IBM Security Access Manager		9.0 - 9.0.1.0		IV89326		1. For 9.0 environments, upgrade to 9.0.1.0:
										IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
										2. Apply 9.0.1.0 Interim Fix 5:
										9.0.1.0-ISS-ISAM-IF0005

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitryi Beryoza

Change History

September 21, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: A command injection vulnerability has been identified
in IBM Security Access Manager for Web appliances (CVE-2016-3028)


Document information

More support for: IBM Security Access Manager for Web

Software version: 7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2,
8.0.1.3, 8.0.1.4, 9.0, 9.0.0.1, 9.0.1

Operating system(s): Appliance

Reference #: 1990317

Modified date: 2016-09-26

Security Bulletin

Summary

A vulnerability in IBM Security Access Manager for Web could allow a remote
authenticated attacker with admin access to the LMI to execute arbitrary
commands on the system.

Vulnerability Details

CVEID: CVE-2016-3028
DESCRIPTION: IBM Security Access Manager for Web could allow a remote
authenticated attacker with admin access to the LMI to execute arbitrary
commands on the system. By sending a specially-crafted request, an attacker
could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base Score: 9.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114479 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM Security Access Manager for Web 7.0 appliances

IBM Security Access Manager for Web 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation
instructions in the README files included with the patch.


Product					VRMF			APAR	Remediation
IBM Security Access Manager for Web	7.0 (appliance)		IV89326	Apply Interim Fix 27:
									7.0.0-ISS-WGA-IF0027
IBM Security Access Manager for Web	8.0.0.0 -8.0.1.4	IV89322	1. For versions prior to 8.0.1.4, upgrade
									to 8.0.1.4:
									8.0.1-ISS-WGA-FP0004
									2. Apply 8.0.1.4 Interim Fix 3:
									8.0.1.4-ISS-WGA-IF0003
IBM Security Access Manager	9.0	IV89257		1. For versions
prior to 9.0.1.0, upgrade to 9.0.1.0:
IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
2. Apply 9.0.1.0 Interim Fix 5:
9.0.1.0-ISS-ISAM-IF0005

Workarounds and Mitigations

None.
Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitryi Beryoza

Change History

September 21, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: A vulnerability associated with the default account
lockout settings in IBM Security Access Manager for Mobile has been
identified (CVE-2016-3025)

Document information

More support for: IBM Security Access Manager for Mobile

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1,
8.0.1.2, 8.0.1.3, 8.0.1.4, 9.0, 9.0.0.1, 9.0.1

Operating system(s): Platform Independent

Reference #: 1991107

Modified date: 2016-09-26

Security Bulletin

Summary

The default account lockout setting in IBM Security Access Manager for
Mobile could allow a remote attacker to use brute force to discover
account credentials.

Vulnerability Details

CVEID: CVE-2016-3025
DESCRIPTION: IBM Security Access Manager for Mobile uses an inadequate
account lockout setting that could allow a remote attacker to brute force
account credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114473 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Security Access Manager for Mobile 8.0, all firmware versions
IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.

Product					VRMF			APAR	Remediation

IBM Security Access Manager for Mobile	8.0.0.0 - 8.0.1.4	IV89258	1. For releases prior to 8.0.1.4, upgrade to 8.0.1.4:
									8.0.1-ISS-ISAM-FP0004
									2. Apply 8.0.1.4 Interim Fix 3:
									8.0.1.4-ISS-ISAM-IF0003
IBM Security Access Manager		9.0 - 9.0.1.0		IV89240 1. For 9.0 environments, upgrade to 9.0.1.0:
									IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
									2. Apply 9.0.1.0 Interim Fix 5:
									9.0.1.0-ISS-ISAM-IF0005

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitryi Beryoza

Change History

September 21st, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: A vulnerability associated with the default account
lockout settings in IBM Security Access Manager for Web has been identified
(CVE-2016-3025)

Document information

More support for: IBM Security Access Manager for Web

Software version: 7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2,
8.0.1.3, 8.0.1.4, 9.0, 9.0.0.1, 9.0.1

Operating system(s): Appliance

Reference #: 1990318

Modified date: 2016-09-26

Security Bulletin

Summary

The default account lockout setting in IBM Security Access Manager for
Web could allow a remote attacker to use brute force to discover account
credentials.

Vulnerability Details

CVEID: CVE-2016-3025
DESCRIPTION: IBM Security Access Manager for Web uses an inadequate account
lockout setting that could allow a remote attacker to brute force account
credentials.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/114473 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Security Access Manager for Web 7.0 appliances

IBM Security Access Manager for Web 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation
instructions in the README files included with the patch.

Product					VRMF			APAR	Remediation
IBM Security Access Manager for Web	7.0 (appliance)		IV89294	Apply Interim Fix 27:
									7.0.0-ISS-WGA-IF0027
IBM Security Access Manager for Web	8.0.0.0 -8.0.1.4	IV89317	1. For versions prior to 8.0.1.4, upgrade
									to 8.0.1.4:
									8.0.1-ISS-WGA-FP0004
									2. Apply 8.0.1.4 Interim Fix 3:
									8.0.1.4-ISS-WGA-IF0003
IBM Security Access Manager		9.0			IV89240	1. For versions prior to 9.0.1.0, upgrade to 9.0.1.0:
									IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
									2. Apply 9.0.1.0 Interim Fix 5:
									9.0.1.0-ISS-ISAM-IF0005

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitryi Beryoza
Change History

September 21st, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: IBM Security Access Manager for Mobile is affected by
security vulnerabilities in libxml2

Document information

More support for: IBM Security Access Manager for Mobile

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1,
8.0.1.2, 8.0.1.3, 8.0.1.4, 9.0, 9.0.0.1, 9.0.1

Operating system(s): Platform Independent

Reference #: 1990837

Modified date: 2016-09-26

Security Bulletin

Summary

Vulnerabilities have been identified in the libxml2 library, which is a
development toolbox providing the implementation of various XML standards.

IBM Security Access Manager for Mobile uses libxml2 and is affected by
these vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-4448
DESCRIPTION: libxml2 could allow a remote attacker to execute arbitrary
code on the system, caused by a format string error. By using a specially
crafted html file containing malicious format specifiers, a remote attacker
could exploit this vulnerability to execute arbitrary code on the system
or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113523 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4449
DESCRIPTION: libxml2 could allow a remote attacker to obtain sensitive
information, caused by a XML external entity (XXE) error when processing XML
data by the XML parser. A remote attacker could exploit this vulnerability
to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113524 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-3627
DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by an
error in the xmlStringGetNodeList() function when parsing xml files while
in recover mode. An attacker could exploit this vulnerability to exhaust
the stack and cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111586 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-3705
DESCRIPTION: libxml2 is vulnerable to a stack-based buffer overflow,
caused by an out-of-bounds read of xmlParserEntityCheck() and
xmlParseAttValueComplex() functions in parser.c. By persuading a victim to
open a specially crafted XML file, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112885 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4447
DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by a
heap-based buffer overflow. By persuading a victim to open a specially
crafted XML file, a remote attacker could overflow a buffer and cause the
application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113522 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Security Access Manager for Mobile 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow
the installation instructions in the README file included with the patch.

Product					VRMF			APAR	Remediation
IBM Security Access Manager for Mobile	8.0.0.0 - 8.0.1.4	IV89294	1. For releases prior to 8.0.1.4, upgrade to 8.0.1.4:
									8.0.1-ISS-ISAM-FP0004
									2. Apply 8.0.1.4 Interim Fix 3:
									8.0.1.4-ISS-ISAM-IF0003
IBM Security Access Manager		9.0 - 9.0.1.0		IV89330	1. For 9.0 environments, upgrade to 9.0.1.0:
									IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
									2. Apply 9.0.1.0 Interim Fix 5:
									9.0.1.0-ISS-ISAM-IF0005

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

September 21, 2016: Original version published.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: IBM Security Access Manager for Web is affected by
security vulnerabilities in libxml2

Document information

More support for: IBM Security Access Manager for Web

Software version: 7.0, 8.0, 8.0.0.2, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.2,
8.0.1.3, 8.0.1.4, 9.0, 9.0.0.1, 9.0.1

Operating system(s): Appliance

Reference #: 1990838

Modified date: 2016-09-26

Security Bulletin

Summary

Vulnerabilities have been identified in the libxml2 library, which is a
development toolbox providing the implementation of various XML standards.

IBM Security Access Manager for Web uses libxml2 and is affected by these
vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-4448
DESCRIPTION: libxml2 could allow a remote attacker to execute arbitrary
code on the system, caused by a format string error. By using a specially
crafted html file containing malicious format specifiers, a remote attacker
could exploit this vulnerability to execute arbitrary code on the system
or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113523 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4449
DESCRIPTION: libxml2 could allow a remote attacker to obtain sensitive
information, caused by a XML external entity (XXE) error when processing XML
data by the XML parser. A remote attacker could exploit this vulnerability
to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113524 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-3627
DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by an
error in the xmlStringGetNodeList() function when parsing xml files while
in recover mode. An attacker could exploit this vulnerability to exhaust
the stack and cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111586 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-3705
DESCRIPTION: libxml2 is vulnerable to a stack-based buffer overflow,
caused by an out-of-bounds read of xmlParserEntityCheck() and
xmlParseAttValueComplex() functions in parser.c. By persuading a victim to
open a specially crafted XML file, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112885 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4447
DESCRIPTION: libxml2 is vulnerable to a denial of service, caused by a
heap-based buffer overflow. By persuading a victim to open a specially
crafted XML file, a remote attacker could overflow a buffer and cause the
application to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113522 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Security Access Manager for Web 7.0 appliances

IBM Security Access Manager for Web 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation
instructions in the README files included with the patch.

Product					VRMF			APAR	Remediation
IBM Security Access Manager for Web	7.0 (appliance)		IV80986	Apply Interim Fix 26:
									7.0.0-ISS-WGA-IF0026
IBM Security Access Manager for Web	8.0.0.0 - 8.0.1.4	IV89324	1. For versions prior to 8.0.1.4, upgrade to 8.0.1.4:
									8.0.1-ISS-WGA-FP0004
									2. Apply 8.0.1.4 Interim Fix 2:
									8.0.1.4-ISS-WGA-IF0003
IBM Security Access Manager		9.0 - 9.0.1.0		IV89330	1. For versions prior to 9.0.1.0, upgrade to 9.0.1.0:
									IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)
									2. Apply 9.0.1.0 Interim Fix 5:
									9.0.1.0-ISS-ISAM-IF0005

Workarounds and Mitigations

None.
Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

September 21, 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV+oPUIx+lLeg9Ub1AQgiNw//bCY+nkSK/3G/yhgiGy8JOI0fM7c+vTwt
V3BMNNnM/QT6hxGiJSwhO0YaOyScbvkU4kIBfNfNQKGTF70AxaU2I5CtTF4IzK2R
kl406FOsp/qYbiUJhEXfnvFq3ybG+5NLT9RTWtgL+apkGkQ2Q1z5IwriB3FuVtrn
g8XtwHcKL/8bW0JxKZuebhPYAnko1WnTRoJSWcF2QuTtMvZQZAojMS91CfUDZJNx
7HusAIrXadP6HvxZjlRJklcOhUdrN8hQkpfGr05mGg2hK3vj+jEH51l49k58EdFD
V7zWZeLaj30kMYaQ7GEDl/eU76qRAsHdNsxbT2Uy/ismJO1qRx0gdA6bELvRfrVx
qOAsuFmaQmfnPBDZNwRt+SP/PVtPMaMwVxbncLSqOIllE2bXxCLVKlXQ1IOmQpVY
Wfe5tAoLeEPihf9bXTzIgjHfx/w8el3gPbP/ashrSpSwdKQu4w7d5Lyi/Cpr0bgc
Xo6vP6EzzmdTu8OAe8J0aicen4W8Zdr8e6sxssBJ3c3bUWKgDXcw6E5Fp8VWt/qy
C0u5TdQ1oVc8c2kqAqUGZOP9M7SvyD1mskgZAf/VpWLUiPGb8qcsmRpykO9PPptd
PpO90AmK+MnfxcUpNLlstX4jkQFR83wwScRV8DuCWATa9rq56yUR88P454YmIo+E
HsZHQnepcE4=
=IlNQ
-----END PGP SIGNATURE-----