Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.3089 Security Bulletin: Security vulnerabilities in IBM Java Runtime an= d Apache Tomcat affects IBM RLKS Administration and Reporting Tool Admin (C= VE-2016-5597, CVE-2016-3092) 23 December 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational License Key Server Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Access Confidential Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-5597 CVE-2016-3092 Reference: ASB-2016.0095 ESB-2016.3079 ESB-2016.3078 ESB-2016.3017 ESB-2016.2995 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg21995448 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Security vulnerabilities in IBM Java Runtime and Apache Tomcat affects IBM RLKS Administration and Reporting Tool Admin (CVE-2016-5597, CVE-2016-3092) Security Bulletin Document information More support for: Rational License Key Server RLKS Administration and Reporting Tool Software version: 8.1.4, 8.1.4.2, 8.1.4.3, 8.1.4.4, 8.1.4.5, 8.1.4.6, 8.1.4.7, 8.1.4.8, 8.1.4.9 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1995448 Modified date: 22 December 2016 Summary There is a vulnerability related to the Networking component in IBM Runtime Environment Java Technology Edition, Version 6.0.16.0, that is used and shipped by IBM Rational License Key Server Administration and Reporting Tool Admin. Vulnerability Details CVEID: CVE-2016-5597 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118071 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2016-3092 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions These vulnerabilities impact following components and their releases: RLKS Administration and Reporting Tool version 8.1.4 RLKS Administration and Reporting Tool version 8.1.4.2 RLKS Administration and Reporting Tool version 8.1.4.3 RLKS Administration and Reporting Tool version 8.1.4.4 RLKS Administration and Reporting Tool version 8.1.4.5 RLKS Administration and Reporting Tool version 8.1.4.6 RLKS Administration and Reporting Tool version 8.1.4.7 RLKS Administration and Reporting Tool version 8.1.4.8 RLKS Administration and Reporting Tool version 8.1.4.9 Remediation/Fixes For CVE-2016-5597 Replace the JRE used in IBM RLKS Administration and Reporting Tool and IBM RLKS Administration Agent. Steps to replace the JRE in IBM RLKS Administration and Reporting Tool (All Versions) 1. Go to Fix Central 2. On the Find product tab, enter Rational Common Licensing in the Product Selector field and hit enter. 3. Select the Installed Version and hit continue button. 4. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button. 5. On the Identify fixes page, select Browse for fixes and select Show fixes that apply to this version and hit continue button. 6. Download the Java 6 runtime iFix for RLKS Administration and Reporting Tool that is applicable for your target platform. Note: Although the name of the iFix is RLKS_Administration_And_Reporting_Tool_8149_iFix_9 , the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions. 7. Shutdown RLKS Administration and Reporting Tool. 8. Go to the installation location of RLKS Administration and Reporting Tool. 9. Rename <install location>/server/jre folder to <install location>/server/jre_back . This step backs up the existing JRE. 10. Extract the downloaded JRE into <install location>/server folder. Example: <install location>/server/jre 11. Startup RLKS Administration and Reporting Tool. 12. Login to the tool using rcladmin user and verify that you see the configured license servers under 'Server' tab. For CVE-2016-5597 Follow the instructions below. 1. Go to Fix Central 2. On the Find product tab, enter Rational Common Licensing in the Product Selector field and hit enter. 3. Select the Installed Version and hit continue button. 4. Select the platform of the machine where RLKS Administration and Reporting Tool is installed and hit continue button. 5. On the Identify fixes page, select Browse for fixes and select Show fixes that apply to this version and hit continue button. 6. Download the file named Apache_Commons_File_Upload_Library_1.3.2.zip . Note: Although the name of the iFix is RLKS_Administration_And_Reporting_Tool_8149_iFix_9 , the same ifix is applicable to all previous RLKS Administration and Reporting Tool versions. 7. Shutdown RLKS Administration and Reporting Tool. 8. Uncompress the file. 9. Launch IM and point it to use this iFix via the file <ifix09/repository.config>. 10. Complete the Update of the RLKS Administration and Reporting Tool through IM. 11. Restart RLKS Administration and Reporting Tool. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 December 2016 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Product Alias/Synonym IBM RLKS Administration and Reporting Tool - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWFx44Ix+lLeg9Ub1AQjT3Q/9GAkMfp3PnzbT8N3RDTqIu/phiWoWapv+ /U/VkPIa58DHQyBR/p5e2jq/F/0oGF+bluhlAGzEZ08MRkYEwH7A0rZt96XgI9pI Wu/4LJqENBuSqNhf3rvF1spuCCB2q7pwocU/ajBJf0gnOG7rsKqOE5nbUvUFj4DL 9lgadWFvDOQrGnWbfjNCeNdeZV0fpDOTeZaduJFqTxfA9U6aNZFuEE5giI4uc7+V KBI9xFgR5JolOpVkgT5HorOFjldqyXJfb8K6koxsGDgrZUQ+3oD+ohRbpnq+LEVy Keu5rX/t+Jg73N+y/gJfGV0MJqtnsQs04W2brsHQIPQnaSS/w7foSGqSvj7Hlxxq kUTFZv80AvKNdnzzl8LpIIWeAGHObZMgr+4RTfPwt5f5mP22fC7/S/a7zfgMWJuM ivB9kugPF2mtsiMVjBniSljT5EoVaH/Fup00SucHQZwUX0qethH4JthvRMyj5b5t R/bbO9/gYSBelAjVwrLa0j/R4R4O0SWx+VUzWVJP8wNjKNjTzg3gYE2B/HV8z85d CnKOz3EYpTzf/09t6AdQYy+cqt2T8Uq9UDb1bu3qgX/EE+WD5gnGQebRvFPVpv7H 33pi29lEoRjj7+Uqz+r4YCrCHUG15rOQ4hkCbHbaVz3Ynco4WtegRHGdiiKGboh6 4hezo/67oKc= =L1pW -----END PGP SIGNATURE-----