Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1257
Security Bulletin: Vulnerability in IBM Java Runtime affects
Rational Publishing Engine
18 May 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational Publishing Engine
Publisher: IBM
Operating System: Linux variants
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3289 CVE-2017-3272 CVE-2017-3261
CVE-2017-3260 CVE-2017-3259 CVE-2017-3253
CVE-2017-3252 CVE-2017-3241 CVE-2017-3231
CVE-2016-5552 CVE-2016-5549 CVE-2016-5548
CVE-2016-5547 CVE-2016-5546 CVE-2016-2183
Reference: ASB-2017.0005
ESB-2017.1237
ESB-2017.1222
ESB-2017.1209
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg22003118
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in IBM Java Runtime affects Rational
Publishing Engine
Security Bulletin
Document information
More support for:
Rational Publishing Engine
General Information
Software version:
1.3, 2.0.0, 2.0.1, 2.1.0, 2.1.1
Operating system(s):
Linux, Windows
Software edition:
All Editions
Reference #:
2003118
Modified date:
16 May 2017
Summary
There is a vulnerability in IBM Java Runtime Environment, Versions 6 and 7
that are used by Rational Publishing Engine.
Vulnerability Details
CVEID:
CVE-2017-3289
DESCRIPTION: Specially crafted bytecode can bypass the required call to
super.init() in a constructor, which allows uninitialized objects to be
created. Untrusted code can exploit this to elevate its privileges.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120861
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3272
DESCRIPTION: A flaw in the java.util.concurrent package facilitates type
confusion, which can be exploited by untrusted code to elevate its privileges.
CVSS Base Score: 9.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120862
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3241
DESCRIPTION: RMI deserialization does not limit the types which are
deserialized, which can lead to sandbox escapes.
Filtering functionality has been added, with a default filter for RMI which
can be customized if necessary.
http://openjdk.java.net/jeps/290
CVSS Base Score: 9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120867
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3260
DESCRIPTION: A flaw in the AWT component facilitates targeted memory
corruption. This may allow untrusted code to elevate its privileges.
CVSS Base Score: 8.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120857
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-5546
DESCRIPTION: ECDSA will accept signatures that have various extraneous bytes
added to them whereas the signature is supposed to be unique.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120869
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3253
DESCRIPTION: The PNG specification allows zTXt sections to be 2^32-1 bytes
long. These are currently uncompressed by default, which allows an attacker to
inflict a DoS by providing malicious PNG images.
The fix ensures that zTXt sections are ignored by default.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120868
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-5548
DESCRIPTION: DSA signing exhibits a timing bias that may leak information
about k.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120864
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-5549
DESCRIPTION: ECDSA signing exhibits a timing bias that may leak information
about k.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120863
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3252
DESCRIPTION: A flaw in com.sun.security.auth.module.LdapLoginModule leads to
deserialization of untrusted data (LDAP responses).
The implementation has been changed to correct the problem.
CVSS Base Score: 5.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120870
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-5547
DESCRIPTION: A flaw in the JCE component means that the value of a parameter
in RSA keys is not validated before being used to size a new byte array. This
allows an attacker to inflict a DoS with a maliciously crafted key with a very
large value for the parameter, which leads to an OutOfMemoryError. The fix
ensures that the value of the parameter is validated before use.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120871
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-5552
DESCRIPTION: A flaw in the java.net.URL implementation can be exploited by an
attacker to obfuscate URLs. The fix addresses the flaw so that URLs are parsed
correctly.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120872
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3261
DESCRIPTION: An integer overflow flaw in the SocketOutputStream implementation
allows untrusted code to access potentially sensitive information via
arbitrary memory reads.
The fix detects the integer overflow and handles it gracefully.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120866
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3231
DESCRIPTION: A flaw in URLClassLoader allows untrusted code to bypass
permission checks and trigger HTTP GET requests that would otherwise be
blocked by the security manager.
The fix adds new permission checks to prevent the unauthorised HTTP requests
from occurring.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120865
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2017-3259
DESCRIPTION: A flaw in the Deploy component allows a malicious proxy
auto-configuration (PAC) script to obtain sensitive information via a
man-in-the-middle attack.
The fix removes sensitive information from the data that can be intercepted by
PAC scripts.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120859
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:
CVE-2016-2183
DESCRIPTION: 3DES can be exploited for block collisions when long running
sessions are allowed (SWEET32).
The IBM fix adds DESede/3DES_EDE_CBC to the jdk.tls.disabledAlgorithms
property in the java.security file.
CVSS Base Score: 3.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/116337
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Affected Products and Versions
Rational Publishing Engine 1.3
Rational Publishing Engine 2.0
Rational Publishing Engine 2.0.1
Rational Publishing Engine 2.1.0
Rational Publishing Engine 2.1.1
Remediation/Fixes
Upgrade the IBM Java Runtime environment used with Rational Publishing Engine
to version 7.1.3.60, which can be downloaded from
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FIBM+Rational+Publishing+Engine&fixids
=Rational-RPE-JavaSE-JRE-7.1SR4FP1&source=SAR
Workarounds and Mitigations
None.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
16 May 2017: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWRzidYx+lLeg9Ub1AQhiqQ//YE1GKr6t8LcOeU9IkOkPJOqVjP7Np4aJ
obZvgidhx9mYOFQfaZxfo7T41I/jHxSvZcR+hYBlciXKtoD4JdaBg3eEwxig5nCN
HtlbVfNMbwrjyC5Z/6Pfq9ZpOco7CwM7kmOwtIVh1GMmR0Ug+IsNObbDdCxbnj5B
+/fVogfwC7Z6XewDjTcT0SENgYlyvXqWQN1g5kOPLHntbyeFuf04MIyijsDiXWEV
BDeadts3ZA2796L7IqDUe0/j1RW/I5GGBhmBmnp4OYL9UM14GagJJvRjgUXLtNJS
JjNuF/amo8B57pY+Mj4lVRqcjx2iOgklxgf/0Z8s7Jkkfx5K712jqxaoZ4yLgTyB
CDvqSMAxWr19pY/FBHY7FBxZTP8tO/RoYsASvLq8OIffC8Zjzqv411NhpmrvntZL
anr50HO+5sRCneFPGEKNDZtzuGF4Bhi2pAZR8ncZkxeNH9vKqDdtNCBcXZkhp/2E
QGfN8FUvkVTShV/X4W70FpiKwL8LbfruxUr0TC4lJ1AiSFLMoSYpKGj3O7+P4PBM
K7K6u6xWyfKSMZlBMFJ9QS9I1PVI0x/vbiC+x9UXkbg/Yg0+5oW75i4XGPaPK5VU
PfO+eMMNRAvE0YR0Kk49+LfHaz6YDoNwmxQyAQbMWTRlHnjl5Yl6QXzEFE4YS2M+
SSLSMe8t2+A=
=l6dm
-----END PGP SIGNATURE-----