Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0545 Security Bulletin: IBM MQ Appliance multiple vulnerabilities 22 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM MQ Appliance Publisher: IBM Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12384 CVE-2018-10845 CVE-2018-10844 CVE-2018-5730 CVE-2018-5729 CVE-2018-5391 CVE-2018-1668 CVE-2018-1666 CVE-2018-1661 Reference: ASB-2019.0060 ASB-2019.0041 ASB-2018.0222.3 ESB-2018.2361 ESB-2018.2358 ESB-2018.2348.4 ESB-2018.2342 ESB-2018.2296.2 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10792549 http://www.ibm.com/support/docview.wss?uid=ibm10796246 http://www.ibm.com/support/docview.wss?uid=ibm10871908 http://www.ibm.com/support/docview.wss?uid=ibm10792535 http://www.ibm.com/support/docview.wss?uid=ibm10739235 http://www.ibm.com/support/docview.wss?uid=ibm10792531 http://www.ibm.com/support/docview.wss?uid=ibm10739241 Comment: This bulletin contains seven (7) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM MQ Appliance is affected by a Mozilla Network Security Services (NSS) vulnerability (CVE-2018-12384) Document information More support for: IBM MQ Appliance Software version: 8.0.0.0, 8.0.0.1, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 9.1.0.0 Operating system(s): Appliance Reference #: 0792549 Modified date: 21 February 2019 Summary IBM MQ Appliance has addressed the following Mozilla Network Security Services (NSS) vulnerability. Vulnerability Details CVEID: CVE-2018-12384 DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by the improper handling of an SSLv2-compatible ClientHello message. By conducting a passive replay attack, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150436 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions IBM MQ Appliance 8.0 Maintenance levels between 8.0.0.0 and 8.0.0.11 IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance level 9.1.0.0 Remediation/Fixes IBM MQ Appliance 8.0 Apply iFix IT27359 , or later. IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply fixpack 9.1.0.1 , or later. Workarounds and Mitigations None Change History 21 Feb 2019 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ====================================================== Security Bulletin: IBM MQ Appliance is affected by krb5 vulnerabilities (CVE-2018-5730 and CVE-2018-5729) Document information More support for: IBM MQ Appliance Software version: 9.1.0, 9.1.0.1, 9.1.1 Operating system(s): Appliance Reference #: 0796246 Modified date: 20 February 2019 Summary IBM MQ Appliance has addressed the following krb5 vulnerabilities. Vulnerability Details CVEID: CVE-2018-5730 DESCRIPTION: MIT krb5 could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the LDAP Kerberos database. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass DN container check. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /139970 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2018-5729 DESCRIPTION: MIT krb5 is vulnerable to a denial of service, caused by a NULL pointer dereference in the LDAP Kerberos database. By sending specially-crafted data, a remote authenticated attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /139969 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance level 9.1.0.0 and 9.1.0.1 IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Continuous delivery update 9.1.1 Remediation/Fixes IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply iFix IT27359 , or later. IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Apply iFix IT27359 , or later. Workarounds and Mitigations None Change History 20 Feb 2019 - Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ====================================================== Security Bulletin: IBM MQ Appliance is affected by an unauthorized access vulnerability (CVE-2018-1668) Document information More support for: IBM MQ Appliance Software version: 8.0.0.0, 8.0.0.1, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 8.0.0.11, 9.1.0, 9.1.0.1, 9.1.1 Operating system(s): Appliance Reference #: 0871908 Modified date: 21 February 2019 Summary IBM MQ Appliance has addressed the following unauthorized access vulnerability. Vulnerability Details CVEID: CVE-2018-1668 DESCRIPTION: IBM WebSphere DataPower Appliances allows "null" logins which could give read access to IPMI data to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /144894 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM MQ Appliance 8.0 Maintenance levels between 8.0.0.0 and 8.0.0.11 IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance levels between 9.1.0.0 and 9.1.0.1 IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Continuous delivery update 9.1.1 Remediation/Fixes IBM MQ Appliance 8.0 Apply iFix IT27359 , or later. IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply iFix IT27359 , or later. IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Apply iFix IT27359 , or later. Workarounds and Mitigations Only affects the IBM MQ Appliance when the IPMI interface is enabled. Change History 21 Feb 2019 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ====================================================== Security Bulletin: IBM MQ Appliance is affected by a kernel vulnerability (CVE-2018-5391) Document information More support for: IBM MQ Appliance Software version: 9.1.0.0, 9.1.0.1, 9.1.1 Operating system(s): Appliance Reference #: 0792535 Modified date: 20 February 2019 Summary IBM MQ Appliance has addressed the following kernel vulnerability. Vulnerability Details CVEID: CVE-2018-5391 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the reassembly of fragmented IPv4 and IPv6 packets by the IP implementation. By sending specially crafted IP fragments with random offsets, a remote attacker could exploit this vulnerability to exhaust all available CPU resources and cause a denial of service. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148388 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance levels between 9.1.0.0 and 9.1.0.1 IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Continuous delivery updates 9.1.1 Remediation/Fixes IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply iFix IT27359 , or later. IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Apply iFix IT27359 , or later. Workarounds and Mitigations None Change History 20 Feb 2019 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ====================================================== Security Bulletin: IBM MQ Appliance is affected by a cross-site request forgery vulnerability (CVE-2018-1661) Document information More support for: IBM MQ Appliance Software version: All Versions Operating system(s): Appliance Reference #: 0739235 Modified date: 21 February 2019 Summary IBM MQ Appliance has addressed the following cross-site request forgery vulnerability. Vulnerability Details CVEID: CVE-2018-1661 DESCRIPTION: IBM WebSphere DataPower Appliances is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144887 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) Affected Products and Versions IBM MQ Appliance 8.0 Maintenance levels between 8.0.0.0 and 8.0.0.11 IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance levels between 9.1.0.0 and 9.1.0.1 IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Continuous delivery update 9.1.1 Remediation/Fixes IBM MQ Appliance 8.0 Apply iFix IT27359 , or later. IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply iFix IT27359 , or later. IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Apply iFix IT27359 , or later. Workarounds and Mitigations None Change History 21 Feb 2019 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ====================================================== Security Bulletin: IBM MQ Appliance is affected by GnuTLS vulnerabilities (CVE-2018-10845 and CVE-2018-10844) Document information More support for: IBM MQ Appliance Software version: 9.1.0.0, 9.1.0.1, 9.1.1 Operating system(s): Appliance Reference #: 0792531 Modified date: 20 February 2019 Summary IBM MQ Appliance has addressed the following GnuTLS vulnerabilities. Vulnerability Details CVEID: CVE-2018-10845 DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of HMAC-SHA-384. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to obtain information. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148730 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2018-10844 DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of HMAC-SHA-256. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to obtain information. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 148731 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance levels between 9.1.0.0 and 9.1.0.1 IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Continuous delivery updates 9.1.1 Remediation/Fixes IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply iFix IT27359 , or later. IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Apply iFix IT27359 , or later. Workarounds and Mitigations None Change History 20 Feb 2019 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ====================================================== Security Bulletin: IBM MQ Appliance is affected by a UI message injection vulnerability (CVE-2018-1666) Document information More support for: IBM MQ Appliance Software version: All Versions Operating system(s): Appliance Reference #: 0739241 Modified date: 21 February 2019 Summary IBM MQ Appliance has addressed the following UI message injection vulnerability. Vulnerability Details CVEID: CVE-2018-1666 DESCRIPTION: IBM WebSphere DataPower Appliances could allow an authenticated user to inject arbitrary messages that would be displayed on the UI. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144892 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions IBM MQ Appliance 8.0 Maintenance levels between 8.0.0.0 and 8.0.0.11 IBM MQ Appliance 9.1 Long Term Support (LTS) Release Maintenance levels between 9.1.0.0 and 9.1.0.1 IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Continuous delivery updates 9.1.1 Remediation/Fixes IBM MQ Appliance 8.0 Apply iFix IT27359 , or later. IBM MQ Appliance 9.1 Long Term Support (LTS) Release Apply iFix IT27359 , or later. IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release Apply iFix IT27359 , or later. Workarounds and Mitigations None Change History 14 Feb 2019 : Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXG8shmaOgq3Tt24GAQjoPA/+MO+FClqZZHrz8rhB72kXWEUs+Qk1eR09 6pN4aRiERy3TeXLmLngxjEPUVKKpA7on1nNlvbiUqiOSJa+JK5OML9hrGkzjir1a i4zT0L1oUOmXPUV3g4bf4ACV/u1tjO0+V4X8I5zZWvvUOWO69ZT1yK2S6PGOfhXC bBPOj7obxoAcwVctKedfEaxapyWWw3TX72T+0M4XuIg5oM8Jiit6OYLUJHM3MkHU jCK4azN0F1FTRJnzAC+ca4NZqiPo0KUPSDvRMuewnAUipVd/HHVeSii5DwD3Li7w qePb4VhH7WZhyYOphPfjqKW+I2z8nMZYkLNpGCOtxhIl81OXfv9GCkTjWOdFHKFM f4WztVcKY/SlyzMI4RhzNHDtZfDW+DfcOI9WBUIa5AaR3oTNy/e+TsUnHyfUA0nJ wpLjSQaSeIOYG1hsAVkZmGCtxtkUnCkpCidtnSo02/joZe7y9HjRZ1oK2nSx27Ko Ifkoq+UiZgwhT/Y4Q/+XpDoDgPG5zt4yfz63p2uePQNI4/6RiFtjkfCSEdaFaQS+ J2D6yYo7tTYuKCz4aoiCwHFSMCEdKIBMOLFd+uIfeQ1wsUxWOMgNVTX+sFPz7W/L iGQJSlpR+SneeXSjdjPSvnE69RoEC1mVPpNUchGmGJh2I/C9tKhb947xoNAGmdBX JhpNaYCeSaA= =Q0cq -----END PGP SIGNATURE-----