Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1591
IBM QRadar SIEM is vulnerable to various CVEs
26 June 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-1234 CVE-2016-9972 CVE-2016-9738
CVE-2016-3697 CVE-2015-3631 CVE-2015-3630
CVE-2015-3627 CVE-2015-1843 CVE-2014-1912
Reference: ESB-2016.2635
ESB-2016.1184
ESB-2015.2113
ESB-2015.1938
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg22004925
http://www.ibm.com/support/docview.wss?uid=swg22004926
http://www.ibm.com/support/docview.wss?uid=swg22004947
http://www.ibm.com/support/docview.wss?uid=swg22004948
Comment: This bulletin contains four (4) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM QRadar SIEM has weak password requirements.
(CVE-2016-9738)
Security Bulletin
Document information
More support for: IBM Security QRadar SIEM
Software version: 7.2, 7.3
Operating system(s): Linux
Software edition: All Editions
Reference #: 2004926
Modified date: 23 June 2017
Summary
The product does not require that users should have strong passwords by
default, which makes it easier for attackers to compromise user accounts.
Vulnerability Details
CVEID: CVE-2016-9738
DESCRIPTION: IBM QRadar does not require that users should have strong
passwords by default, which makes it easier for attackers to compromise user
accounts.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119783 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM QRadar SIEM 7.2.0 7.2.8 Patch 6
IBM QRadar SIEM 7.3.0 7.3.0 Patch 1
Remediation/Fixes
IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 7
IBM QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 3
Workarounds and Mitigations
None
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza
Change History
19 June 2017: First Publish
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
=======================================================================
Security Bulletin: IBM QRadar SIEM is missing HSTS header. (CVE-2016-9972)
Security Bulletin
Document information
More support for: IBM Security QRadar SIEM
Software version: 7.2, 7.3
Operating system(s): Linux
Software edition: All Editions
Reference #: 2004925
Modified date: 23 June 2017
Summary
The product is missing the HTTP Strict Transport Security header. Users can
navigate by mistake to the unencrypted version of the web application or
accept invalid certificates. This leads to sensitive data being sent
unencrypted over the wire.
Vulnerability Details
CVEID: CVE-2016-9972
DESCRIPTION: IBM Qradar could allow a remote attacker to obtain sensitive
information, caused by the failure to properly enable HTTP Strict Transport
Security. An attacker could exploit this vulnerability to obtain sensitive
information using man in the middle techniques.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120208 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM QRadar SIEM 7.2.0 7.2.8 Patch 6
IBM QRadar SIEM 7.3.0 7.3.0 Patch 1
Remediation/Fixes
IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 7
IBM QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 3
Workarounds and Mitigations
None
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza
Change History
19 June 2017: First Publish
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
=======================================================================
Security Bulletin: Docker and Python as used in IBM QRadar SIEM is vulnerable
to various CVEs.
Security Bulletin
Document information
More support for: IBM Security QRadar SIEM
Software version: 7.2
Operating system(s): Linux
Software edition: All Editions
Reference #: 2004947
Modified date: 23 June 2017
Summary
The product includes vulnerable components (e.g., framework libraries) that
may be identified and exploited with automated tools.
Vulnerability Details
CVEID: CVE-2016-3697
DESCRIPTION: Docker could allow a local attacker to gain elevated privileges
on the system, caused by an error in libcontainer/user/user.go. By using a
numeric username in the password file in a container, an attacker could
exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113791 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2015-3631
DESCRIPTION: Docker could allow a remote attacker to bypass security
restrictions, caused by the configuration of volume mounts to override files
of /proc within a mount namespace. An attacker could exploit this
vulnerability using specially-crafted images to specify arbitrary policies for
Linux Security Modules.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/103094 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-3630
DESCRIPTION: Docker could allow a remote attacker to obtain sensitive
information, caused by multiple read/write proc paths being writable from
containers. An attacker could exploit this vulnerability to modify the host
and obtain sensitive information.
CVSS Base Score: 5.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/103093 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-3627
DESCRIPTION: A symlink vulnerability in Libcontainer and Docker Engine
regarding the file-descriptor being opened prior to performing the chroot
could allow a local attacker to gain elevated privileges on the system. An
attacker could exploit this vulnerability using a specially crafted Dockerfile
or image to gain elevated privileges on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/103092 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-1843
DESCRIPTION: Red Hat docker package is vulnerable to a man-in-the-middle
attack, caused by the use of the --add-registry option. A remote attacker
could exploit this vulnerability to perform downgrade attacks to obtain
authentication and image data to conduct man-in-the-middle attacks.
CVSS Base Score: 5.8
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/102670 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVEID: CVE-2014-1912
DESCRIPTION: Python is vulnerable to a buffer overflow, caused by improper
bounds checking by sock_recvfrom_into() function. By sending an overly long
argument, a remote attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/90931 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
IBM QRadar 7.2.0 - 7.2.8 Patch 6
Remediation/Fixes
IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 7
Workarounds and Mitigations
None
References
Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John
Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza
Change History
19 June 2017: First Publish
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
===============================================================================
Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting.
(CVE-2017-1234)
Security Bulletin
Document information
More support for: IBM Security QRadar SIEM
Software version: 7.2, 7.3
Operating system(s): Linux
Software edition: All Editions
Reference #: 2004948
Modified date: 23 June 2017
Summary
stored XSS vulnerability in QRadar system v 7.2.8.
Vulnerability Details
CVEID: CVE-2017-1234
DESCRIPTION: IBM QRadar is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/123913 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
IBM QRadar 7.2.0 - 7.2.8 Patch 6
IBM QRadar 7.3.0 - 7.3.0 Patch 1
Remediation/Fixes
IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 7
IBM QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 3
Workarounds and Mitigations
None
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
The vulnerability was reported to IBM by Mohammed Shameem Shahnawaz
Change History
19 June 2017: First Publish
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWVBUX4x+lLeg9Ub1AQjphhAAme8TkBrPHddNQh2OJUH1BupzlLQ8byP4
+3aFSQPORaM65eXx7PI2fi+KQxq2i5xNV1tm53psRy8yKU5KIXBHW3srQx2//Z59
kmAqx+nzUHv0gpu6Nqq7Y2394PRAAr4/BgUN0oPVlQPmFnMbkkhc0upKX0jWOLOB
IUmnsE9mH2s1OWfN+5bq7IH4RwOWDWyFwkSyNl5Rw/RggS1qmiCRg7EHjALt/T8z
t1GgVODh7b+PbMEkGqzv4jOq4RkDZ+M0LnDjE/s5wtBjEe7hMp8oCJ/PqKqvbRCH
n+y+hInA5Tupn/NwgymlFrNMtjwLpkqwL9DEiNwm7hAITyNZFBcUYge34u4CMWFP
lGT4e0yxoZdFLTFwz56k+iEjinHtrDppQ3xWfZtSVfYT7kCl7MoAkFsKmkrmOTgq
mzGYqoNJr6G7Nj79fAuG5OuLCaFkPumYbiZyAL/HkZDnjA2h9s8RQlraSbbIxkY9
fKWo8mZKLRU06XkV7cV2+9TbC10Fjmwtf5IAw4k8I+okMpMvQQ37pLbBJeJzQ2GD
oUaZMiAuOUZ+JQSFhBs0gKfX+cYuMk6QozzD8VLqnG2OSvQLG009+eB9dpHhksjS
I0EOONKiqwZLWS9K6p96sdvRFu89SvKV/4v02MPFzOwa7mLln0YBn4KcBkmNpvU4
3C8zmW1ZkI8=
=I8ME
-----END PGP SIGNATURE-----