Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3788 IBM DataPower Gateways security update 6 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM DataPower Gateways Publisher: IBM Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1663 Original Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10740033 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM DataPower Gateways is affected by a downgrade vulnerability (CVE-2018-1663) CVE-2018-1663 Document information Component: General Software version: 7.5, 7.5.1, 7.5.2, 7.6, 2018.4 Operating system(s): Firmware Software edition: Edition Independent Reference #: 0740033 Modified date: 05 December 2018 Summary IBM DataPower Gateway has addressed the following vulnerability: CVE-2018-1663 Vulnerability Details CVEID: CVE-2018-1663 DESCRIPTION: IBM DataPower Gateways could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144889 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM DataPower Gateway 7.7.0.0-7.7.1.3 (CD) IBM DataPower Gateway 7.6.0.0-7.6.0.9 IBM DataPower Gateway 7.5.2.0-7.5.2.16 IBM DataPower Gateway 7.5.1.0.-7.5.1.16 IBM DataPower Gateway 7.5.0.0-7.5.0.17 Remediation/Fixes Product VRMF APAR Remediation / First Fix IBM DataPower Gateway 2018.4.1.0 IT26364 Install the fixpack IBM DataPower Gateway 7.6.0.10 IT26364 Install the fixpack IBM DataPower Gateway 7.5.2.17 IT26364 Install the fixpack IBM DataPower Gateway 7.5.1.17 IT26364 Install the fixpack IBM DataPower Gateway 7.5.0.18 IT26364 Install the fixpack For DataPower customers using versions 7.2.0 and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Workarounds and Mitigations None Additional Bluemix Alert Information Monitor the Bluemix console (https://console.ng.bluemix.net/status/) for additional important product alerts. Change History 5 December 2018: Initial version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXAioyGaOgq3Tt24GAQgwIxAAmE/W3ZWdS4paNa3iUiyMNcZyq1F2cpiy 38dAUiDswxlezui2gDaZO7Rt+EW5D5d8q4LlBHhna6JGEifTyjva4rQPF9H6g8h6 xj19ruEW2wNU5P+x0qMbgj5wP6MjNd0ZU05RyG0bRmKInkBl3kTEzsdL3KUnONIu g9/g2tjG1kG5r3DEhE1B1jKZ+hEWi4SsQbnSv0QMoFQNXXwJ8Y22jpptfUpMLk0f umrdwzuyBfgqWcqVGJTQGn6STXQJImEGG0lIfONfr1QDzrPZLNYFDisBF4NqRR8J c8mk0p0mX+kYG4DnsHLbRGlfxPbaiL8dja0wD8aiROX7PVyH7VNy+kLTHE+96xMW gBjPbhTTW9RzWOzNftGtktAWwcGsDIN2wo7VpaLYNgtW1Yy7fzIK+g4lGoQBR1Rh qoFkJK81RSe8GJskI/pOMXnVz7sNqkbPlUKErXI6tyJEvhkz+dsyAqiB7j8oRqDt wfF+PWGlHBZxUqZloMGbubumtu54o47kKFlaR2JFxT2Uz11dR1cutuOXusaJgAHp fG907+RqxGBD7UWG7uZkYXzWdwkiMuzyjGNj3jihTd4kqUu6SYhILjKXtmu3TCmw h5uqPl6p26ox6DtBPNFNyN9ySp2du4OT4qfzHVlM8kBtF65GwsTcuvje8cVhQ2u4 JkQNU781mvA= =pW1d -----END PGP SIGNATURE-----