-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2312
 Security Bulletin: Multiple vulnerabilities affect IBM Sterling products
                              4 October 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Sterling External Authentication Server
                   IBM Sterling B2B Integrator
                   IBM Sterling Secure Proxy
                   IBM Sterling Connect: Direct Browser User Interface
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   IBM i
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data   -- Existing Account            
                   Modify Arbitrary Files   -- Existing Account            
                   Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5890 CVE-2016-3485 CVE-2016-3426
                   CVE-2016-3057  

Reference:         ASB-2016.0074
                   ASB-2016.0043
                   ESB-2016.1911
                   ESB-2016.1065

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21991289
   http://www.ibm.com/support/docview.wss?uid=swg21989578
   http://www.ibm.com/support/docview.wss?uid=swg21991287
   http://www.ibm.com/support/docview.wss?uid=swg21991387
   http://www.ibm.com/support/docview.wss?uid=swg21989577

Comment: This bulletin contains five (5) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
Sterling External Authentication Server (CVE-2016-3426, CVE-2016-3485)

Security Bulletin

Document information

More support for:

Sterling Secure Proxy

External Authentication Server

Software version:

3.4.2, 3.4.3

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1991289

Modified date:

2016-10-03

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Technology
Edition, Version 7.0 that is used by IBM Sterling External Authentication
Server. These issues were disclosed as part of the IBM Java Runtime updates
in April 2016 and July 2016.

Vulnerability Details

CVEID:

CVE-2016-3426

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the JCE component could allow a remote attacker to obtain sensitive
information resulting in a partial confidentiality impact using unknown
attack vectors.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112457

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:

CVE-2016-3485

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Networking component has no confidentiality impact, low integrity
impact, and no availability impact.

CVSS Base Score: 2.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115273

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Sterling External Authentication Server 2.4.3 through 2.4.3.0 iFix 1

IBM Sterling External Authentication Server 2.4.2 through 2.4.2.0 iFix 4

Remediation/Fixes

Product                                      VRMF                             APAR            Remediation/First Fix
IBM Sterling External Authentication Server  2.4.3.0                          IT17228         Fix Central
IBM Sterling External Authentication Server  2.4.2.0                          IT17228         Fix Central

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

IBM Java SDK security bulletin

July 2016

IBM Java SDK security bulletin

April 2016

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Acknowledgement

None.

Change History

3 October 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Cross-Site scripting vulnerability affects IBM Sterling
B2B Integrator (CVE-2016-3057)

Security Bulletin

Document information

More support for:

Sterling B2B Integrator

Software version:

5.2, 5.2.5, 5.2.6

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Reference #:

1989578

Modified date:

2016-10-03

Summary

IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site
scripting.

Vulnerability Details

CVEID:

CVE-2016-3057

DESCRIPTION:

IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.

CVSS Base Score: 6.1

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/114843

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2

Remediation/Fixes

PRODUCT & Version                              APAR                             Remediation/Fix
IBM Sterling B2B Integrator 5.2                IT15790                          Apply Generic Interim Fix 5020602_1 or 5020500_14 on Fix Central

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

08 September 2016: Original version published

03 October 2016: Added remediation for V5.2.5

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
Sterling Secure Proxy (CVE-2016-3426, CVE-2016-3485)

Security Bulletin

Document information

More support for:

Sterling Secure Proxy

Software version:

3.4.2, 3.4.3

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1991287

Modified date:

2016-10-03

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Technology
Edition, Version 7.0 that is used by IBM Sterling Secure Proxy. These issues
were disclosed as part of the IBM Java Runtime updates in April 2016 and July
2016.

Vulnerability Details

CVEID:

CVE-2016-3426

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the JCE component could allow a remote attacker to obtain sensitive
information resulting in a partial confidentiality impact using unknown
attack vectors.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112457

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:

CVE-2016-3485

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Networking component has no confidentiality impact, low integrity
impact, and no availability impact.

CVSS Base Score: 2.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115273

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Sterling Secure Proxy 3.4.3 through 3.4.3.0 iFix 1

IBM Sterling Secure Proxy 3.4.2 through 3.4.2.0 iFix 8

Remediation/Fixes

Product                    VRMF             APAR            Remediation/First Fix
IBM Sterling Secure Proxy  3.4.3.0          IT17228         Fix Central
IBM Sterling Secure Proxy  3.4.2.0          IT17228         Fix Central

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

IBM Java SDK security bulletin

July 2016

IBM Java SDK security bulletin

April 2016j

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Acknowledgement

None.

Change History

3 October 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
Sterling Connect: Direct Browser User Interface (CVE-2016-3426, CVE-2016-3485)

Security Bulletin

Document information

More support for:

Sterling Connect:Direct Browser User Interface

Software version:

1.5.0, 1.5.1, 1.5.2

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #:

1991387

Modified date:

2016-10-03

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Technology
Edition, Version 7.0 that is used by IBM Sterling Connect:Direct Browser User
Interface. These issues were disclosed as part of the IBM Java Runtime
updates in April 2016 and July 2016.

Vulnerability Details

CVEID:

CVE-2016-3426

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the JCE component could allow a remote attacker to obtain sensitive
information resulting in a partial confidentiality impact using unknown
attack vectors.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/112457

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:

CVE-2016-3485

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Networking component has no confidentiality impact, low integrity
impact, and no availability impact.

CVSS Base Score: 2.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115273

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Sterling Connect:Direct Browser User Interface 1.5.0 through 1.5.0.2 iFix
17

IBM Sterling Connect:Direct Browser User Interface 1.4.0 through 1.4.11.0
iFix 5

Remediation/Fixes

Product                                           	VRMF             iFix            Remediation/First Fix
IBM Sterling Connect:Direct Browser User Interface  	1.5.0.2          iFix 18         Fix Central
IBM Sterling Connect:Direct Browser User Interface  	1.4.11.0         iFix 6          Contact IBM Support and request the fix package be published for you on the ECuRep server.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

IBM Java SDK security bulletin

July 2016

IBM Java SDK security bulletin

April 2016

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

3 October 2016: Original version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ---

Security Bulletin: Password management vulnerability affects IBM Sterling B2B
Integrator (CVE-2016-5890)

Security Bulletin

Document information

More support for:

Sterling B2B Integrator

Software version:

5.2, 5.2.5, 5.2.6

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Reference #:

1989577

Modified date:

2016-10-03

Summary

IBM Sterling B2B Integrator Standard Edition could allow authenticated
attacker to change another user's password .

Vulnerability Details

CVEID:

CVE-2016-5890

DESCRIPTION:

IBM Sterling B2B Integrator Standard Edition contains an unspecified
vulnerability that would allow an authenticated attacker to change another
user's password.

CVSS Base Score: 5.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/115334

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2

Remediation/Fixes

Product & Version                              APAR                             Remediation/Fix
IBM Sterling B2B Integrator 5.2                IT16043                          Apply Generic Interim Fix 5020602_1 or 5020500_14 on Fix Central

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide


On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

08 September 2016: Original version published

03 October 2016: Added remediation for V5.2.5

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV/M3MYx+lLeg9Ub1AQiaIQ//RjLfDvWGHGjy4+BfRvBH3nVIFheDZWlS
jQ2v6rLOQeAmiRZRPpBeFQQjZRh+fwKUkvRqhnvjCj55zkCZ270Y52V0CVz/hMve
duYJe5L1zzTbh49p7D/gZLbZtiPzkxaIA5+h7jdLnHMv6sGqI1cWnwDOZUE7FipJ
hSzaLc63SdOYMnrKV1fbyIHr39DQbZbqbFfsQHzVAhr4omATIcAGrmOEmtqwUr/T
jp2jTSnqnEWI+qyQTodsn9QCQCTiZgU5LoYzc/sgXbBgHMfeBwy8kNz/LCbx7pkR
/iuVvfM47Rp9P4ADWmmQOEbz65dKC2MmmoydIDaCWR9B4FuqhYY7+2DCFacEq2qD
Qjcslx/Sen2eOeg7Q7U4/A33E0S43AlzCQCmrAxbW1OUbuNvzbpSKz2Wq5L9cN0c
awHklNnYV36uM5ngFiUXS/g2ACQVvoa8rBH7wWuFW2VyMYXX12z04Lt3i1GRPKaI
77xe9Wz0I8Pizr5bZ/f89SP7RSysPs1KDZs1FB4d00UIbKCSKM78qKpYi287znko
i829Ob+9W8Yqrsrbj5PKreAKP+Sm2MJUmETNlwRbSUJ+bEsfPRwnck2w/nSSBbUx
x0jOdHwag6EB4kGsOmFO9l9AHGf/8ADKCX6lsKQMYTU2ASDaIYVHHCSk7KFFOaNq
zG7Oh9N9B1w=
=njyR
-----END PGP SIGNATURE-----