-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0945
   IBM Security Bulletin: Multiple vulnerabilities affecting IBM Streams
                               22 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Streams
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Increased Privileges            -- Existing Account            
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
                   Unauthorised Access             -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12539 CVE-2018-8039 CVE-2018-2973
                   CVE-2018-2952 CVE-2018-2940 CVE-2018-1851
                   CVE-2018-1656 CVE-2018-1517 CVE-2016-0705
                   CVE-2014-7810  

Reference:         ESB-2019.0589
                   ESB-2019.0570
                   ESB-2019.0566
                   ESB-2019.0423
                   ESB-2019.0372.2
                   ESB-2019.0303
                   ESB-2019.0237
                   ESB-2019.0077
                   ESB-2019.0029
                   ESB-2018.3512.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10872052
   http://www.ibm.com/support/docview.wss?uid=ibm10872056
   http://www.ibm.com/support/docview.wss?uid=ibm10737251
   http://www.ibm.com/support/docview.wss?uid=ibm10737247

Comment: This bulletin contains four (4) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerabilities in WAS traditional and liberty

Product:             IBM Streams

Software version:    All Versions

Operating system(s): Linux

Reference #:         0872052

Modified date:       20 February 2019

Security Bulletin

Summary

There are vulnerabilities in WAS traditional and liberty used by IBM Streams.
IBM Streams has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2014-7810
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security
restrictions, caused by the use of expression language. An attacker could
exploit this vulnerability to bypass the protections of a Security Manager.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
103155 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Affected InfoSphere Streams  Affected Versions
InfoSphere Streams          4.0.1.6 and earlier
InfoSphere Streams          3.2.1.6 and earlier
IBM Streams                 4.1.1.7 and earlier
IBM Streams                 4.2.1.5 and earlier
IBM Streams                 4.3.0.0

Remediation/Fixes

NOTE:Fix Packs are available on IBM Fix Central.

To remediate/fix this issue, follow the instructions below:

Version 4.3.x: Apply 4.3.0 Fix Pack 1 (4.3.0.1) or higher .
Version 4.2.x: Apply 4.2.1 Fix Pack 4 (4.2.1.6) or higher .
Version 4.1.x: Apply 4.1.1 Fix Pack 6 (4.1.1.8) or higher .
Version 4.0.x: Apply 4.0.1 Fix Pack 6 (4.0.1.6) or higher .
Versions 3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM
recommends upgrading to a fixed, supported version/release/platform of the
product. Customers who cannot upgrade and need to secure their installation
should open a PMR with IBM Technical Support and request assistance securing
their InfoSphere Streams system against the vulnerabilities identified in this
Security Bulletin.

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

===============================================================================

Vulnerabilities in deserialization of openid connect cookie

Product:             IBM Streams

Software version:    All Versions

Operating system(s): Linux

Reference #:         0872056

Modified date:       20 February 2019

Security Bulletin

Summary

There are vulnerabilities in deserialization of openid connect cookie used by
IBM Streams. IBM Streams has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2018-1851
DESCRIPTION: IBM WebSphere Application Server OpenID Connect could allow a
remote attacker to execute arbitrary code on the system, caused by improper
deserialization. By sending a specially-crafted request to the RP service, an
attacker could exploit this vulnerability to execute arbitrary code.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
150999 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected InfoSphere Streams  Affected Versions
InfoSphere Streams          4.0.1.6 and earlier
InfoSphere Streams          3.2.1.6 and earlier
IBM Streams                 4.1.1.7 and earlier
IBM Streams                 4.2.1.5 and earlier
IBM Streams                 4.3.0.0

Remediation/Fixes

NOTE:Fix Packs are available on IBM Fix Central.

To remediate/fix this issue, follow the instructions below:

Version 4.3.x: Apply 4.3.0 Fix Pack 1 (4.3.0.1) or higher .
Version 4.2.x: Apply 4.2.1 Fix Pack 4 (4.2.1.6) or higher .
Version 4.1.x: Apply 4.1.1 Fix Pack 6 (4.1.1.8) or higher .
Version 4.0.x: Apply 4.0.1 Fix Pack 6 (4.0.1.6) or higher .
Versions 3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM
recommends upgrading to a fixed, supported version/release/platform of the
product. Customers who cannot upgrade and need to secure their installation
should open a PMR with IBM Technical Support and request assistance securing
their InfoSphere Streams system against the vulnerabilities identified in this
Security Bulletin.

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

===============================================================================

Vulnerability in Apache CXF

Product:             IBM Streams

Software version:    All Versions

Operating system(s): Linux

Reference #:         0737251

Security Bulletin

Summary

There's a vulnerability in Apache CXF used by IBM Streams. IBM Streams has
addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2018-8039
DESCRIPTION: Apache CXF could allow a remote attacker to conduct a
man-in-the-middle attack. The TLS hostname verification does not work correctly
with com.sun.net.ssl interface. An attacker could exploit this vulnerability to
launch a man-in-the-middle attack.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
145516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected InfoSphere Streams  Affected Versions
InfoSphere Streams          4.0.1.6 and earlier
InfoSphere Streams          3.2.1.6 and earlier
IBM Streams                 4.1.1.6 and earlier
IBM Streams                 4.2.1.4 and earlier
IBM Streams                 4.3.0.0

Remediation/Fixes

NOTE:Fix Packs are available on IBM Fix Central.

To remediate/fix this issue, follow the instructions below:

Version 4.3.x: Contact IBM technical support
Version 4.2.x: Apply 4.2.1 Fix Pack 4 (4.2.1.5) or higher .
Version 4.1.x: Apply 4.1.1 Fix Pack 6 (4.1.1.7) or higher .
Version 4.0.x: Apply 4.0.1 Fix Pack 6 (4.0.1.6) or higher .
Versions 3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM
recommends upgrading to a fixed, supported version/release/platform of the
product. Customers who cannot upgrade and need to secure their installation
should open a PMR with IBM Technical Support and request assistance securing
their InfoSphere Streams system against the vulnerabilities identified in this
Security Bulletin.

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

===============================================================================

Vulnerability in IBM SDK, Java Technology Edition Quarterly CPU

Product:             IBM Streams

Software version:    All Versions

Operating system(s): Linux

Reference #:         0737247

Security Bulletin

Summary

There's a multiple vulnerabilities in IBM SDK, Java Technology Edition
Quarterly CPU used by IBM Streams. IBM Streams has addressed the applicable
CVEs.

Vulnerability Details

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a
double-free error when parsing DSA private keys. An attacker could exploit this
vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-1517
DESCRIPTION: A flaw in the java.math component in IBM SDK, Java Technology
Edition may allow an attacker to inflict a denial-of-service attack with
specially crafted String data.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141681 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1656
DESCRIPTION: The IBM Java Runtime Environment''s Diagnostic Tooling Framework
for Java (DTFJ) does not protect against path traversal attacks when extracting
compressed dump files.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144882 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2018-2973
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded JSSE component could allow an unauthenticated attacker to
cause no confidentiality impact, high integrity impact, and no availability
impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146835 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-2952
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded, JRockit Concurrency component could allow an
unauthenticated attacker to cause a denial of service resulting in a low
availability impact using unknown attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146815 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-2940
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE, Java SE Embedded Libraries component could allow an unauthenticated
attacker to obtain sensitive information resulting in a low confidentiality
impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
146803 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-12539
DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated
privileges on the system, caused by the failure to restrict the use of Java
Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and
use Attach API operations to only the process owner. An attacker could exploit
this vulnerability to execute untrusted native code and gain elevated
privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148389 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected InfoSphere Streams  Affected Versions
InfoSphere Streams          4.0.1.6 and earlier
InfoSphere Streams          3.2.1.6 and earlier
IBM Streams                 4.1.1.6 and earlier
IBM Streams                 4.2.1.4 and earlier
IBM Streams                 4.3.0.0

Remediation/Fixes

NOTE:Fix Packs are available on IBM Fix Central.

To remediate/fix this issue, follow the instructions below:

Version 4.3.x: Contact IBM technical support
Version 4.2.x: Apply 4.2.1 Fix Pack 4 (4.2.1.5) or higher .
Version 4.1.x: Apply 4.1.1 Fix Pack 6 (4.1.1.7) or higher .
Version 4.0.x: Apply 4.0.1 Fix Pack 6 (4.0.1.6) or higher .
Versions 3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM
recommends upgrading to a fixed, supported version/release/platform of the
product. Customers who cannot upgrade and need to secure their installation
should open a PMR with IBM Technical Support and request assistance securing
their InfoSphere Streams system against the vulnerabilities identified in this
Security Bulletin.

Workarounds and Mitigations

None

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXJRkpWaOgq3Tt24GAQhBxRAAgJDW/L9W0zn6NW/xSppM4typMJ/QbP6B
/VEg6HgWODmcoZbgGt9DOA2pUVZvRhzLVMVwpdzPdZnlseciSLrS3uz5n2yu86EI
oEh9/Zqt+a24PVrtUdztemo0/RHRuA5mzJFhU/SuL1h1ykEwxow14LQGUMVki8FB
eHM5LmXRZzCBiXmfqqdSwK22OhWNMMmIe0Or7j5BUz4+GIvCwCCu5+yAPMFn5VEf
doRTR9v3jkYRgqJ98hjQw161msJyG1WlOXxja+YIfFaFxclmydZf+tarbsuvOD7k
FDXyIBbxu7DQjHMTM8q1jERr9q8J4ETffQ1GpxkR9XmxLdT9fALTJmPn9KWBoTmT
asRhcH7JpRpPGo9YHP/ufPNJrUeuReW2sL/6UbVX5eQuZO6hYDMy9G0N/FK4rpmQ
ux7B0K4BEOXg41hztdpPabdHzzD3PI50G4o6z/kwGVjYyTPclet81zUXQwKttbdE
LBuYpPCk2iKQxt1d4TK/LBCSpfyR8Eg2xRnwIGSogZolu0a/3siBucKft0l4EO90
4btTdv8f6taJIBsqBR53CH+cTY359t1/vwvwR5K+qw71uDspJOIMU708YmKfxXx9
R7nf8s45H1SncOIbxYvdyI7bzQ+zHRQITzz/pDYY7oEsrCe+KGJu3HqzbnKzyp3D
NxXVQCva92M=
=QH6/
-----END PGP SIGNATURE-----