Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1171 IBM Security Bulletin: IBM API Connect Developer Portal is affected multiple vulnerabilities 8 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM API Connect Publisher: IBM Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9641 CVE-2019-9639 CVE-2019-9638 CVE-2019-9637 CVE-2019-8331 CVE-2019-6341 CVE-2019-4155 Reference: ESB-2019.1166 ESB-2019.1092 ESB-2019.1066 ESB-2019.1000 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10879483 http://www.ibm.com/support/docview.wss?uid=ibm10878775 http://www.ibm.com/support/docview.wss?uid=ibm10879401 http://www.ibm.com/support/docview.wss?uid=ibm10879443 http://www.ibm.com/support/docview.wss?uid=ibm10879575 Comment: This bulletin contains five (5) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- IBM API Connect Developer Portal is affected by a cross site scripting vulnerability in Bootstrap (CVE-2019-8331) Product: IBM API Connect Component: Developer Portal Software version: 2018.1-2018.4.1.3 Operating system(s): Platform Independent Reference #: 0879483 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-8331 DESCRIPTION: Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157409 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM API Connect version 2018.1-2018.4.1.3 Remediation/Fixes +---------------+-------------+-------+--------------------------------------------------------------------------------+ |Affected |Addressed in |APAR |Remediation/First Fix | |Product |VRMF | | | +---------------+-------------+-------+--------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect v2018.4.1.4fixpack. | | | | | | |IBM API Connect| | |Follow this link and find the appropriate 2018.4.1.4portal package suitable for | |V2018.1 - |2018.4.1.4 |LI80764|the form factor ofyour installation. | |2018.4.1.3 |fixpack | | | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.3&platform=All&function= | | | | |all&source=fc | +---------------+-------------+-------+--------------------------------------------------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog IBM API Connect Support Lifecycle Policy Change History April 4, 2019: Original bulletin published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ==================== IBM API Connect Developer Portal is affected by a cross site scripting vulnerability in Drupal Product: IBM API Connect Component: Developer Portal Software version: 2018.1-2018.4.1.3 Operating system(s): Platform Independent Reference #: 0878775 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: Not Applicable DESCRIPTION: EU Cookie Compliance module for Drupal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157882 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM API Connect version 2018.1-2018.4.1.3 Remediation/Fixes +---------------+-------------+-------+--------------------------------------------------------------------------------+ |Affected |Addressed in |APAR |Remediation/First Fix | |Product |VRMF | | | +---------------+-------------+-------+--------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect v2018.4.1.4fixpack. | | | | | | |IBM API Connect| | |Follow this link and find the appropriate 2018.4.1.4portal package suitable for | |V2018.1 - |2018.4.1.4 |LI80744|the form factor ofyour installation. | |2018.4.1.3 |fixpack | | | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.3&platform=All&function= | | | | |all&source=fc | +---------------+-------------+-------+--------------------------------------------------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog IBM API Connect Support Lifecycle Policy Change History April 3, 2019: Original bulletin published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ==================== IBM API Connect Developer Portal is affected by multiple PHP vulnerabilities (CVE-2019-9641 CVE-2019-9637 CVE-2019-9639 CVE-2019-9638) Product: IBM API Connect Component: Developer Portal Software version: 5.0.0.0-5.0.8.5, 2018.1-2018.4.1.3 Operating system(s): Platform Independent Reference #: 0879401 Security Bulletin Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2019-9638 DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by an uninitialized read flaw in the exif_process_IFD_in_MAKERNOTE method. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158118 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2019-9639 DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by an uninitialized read flaw in the exif_process_IFD_in_MAKERNOTE method. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158119 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2019-9637 DESCRIPTION: PHP could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of rename function. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158117 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-9641 DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by an uninitialized read in exif_process_IFD_in_TIFF. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158121 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM API Connect version V5.0.0.0-5.0.8.5;2018.1-2018.4.1.3 Remediation/Fixes +------------------------+-----------------+-------+--------------------------------------------------------------------------------+ |Affected Product |Addressed in VRMF|APAR |Remediation/First Fix | +------------------------+-----------------+-------+--------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect V5.0.8.6fix pack. | | | | | | | | | |Developer Portal is impacted. Follow this link and find the APIConnect-Portal | |IBM API Connect |5.0.8.6 |LI80755|package. | |5.0.0.0-5.0.8.5 | | | | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.5&platform=All&function=all | | | | |&source=fc | +------------------------+-----------------+-------+--------------------------------------------------------------------------------+ | | | |+-----------------------------------------------------------------------------+ | | | | ||Addressed in IBM API Connect v2018.4.1.4fixpack. | | | | | || | | | | | ||Developer Portal is impacted. Follow this link and find the "portal" package | | |IBM API Connect V2018.1 |2018.4.1.4fixpack|LI80755||appropriate for the form factor of your installation for 2018.4.1.4. | | |- 2018.4.1.3 | | || | | | | | ||http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | | ||product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.3&platform=All& | | | | | ||function=all&source=fc | | | | | |+-----------------------------------------------------------------------------+ | +------------------------+-----------------+-------+--------------------------------------------------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog IBM API Connect Support Lifecycle Policy Change History April 3, 2019: Original bulletin published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ==================== IBM API Connect Developer Portal is by Cross Site Scripting(XSS) in Drupal core (CVE-2019-6341) Product: IBM API Connect Component: Developer Portal Software version: 5.0.0.0-5.0.8.5, 2018.1-2018.4.1.3 Operating system(s): Platform Independent Reference #: 0879443 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: Not Applicable DESCRIPTION: AddToAny Share Buttons Module for Drupal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158450 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-6341 DESCRIPTION: Drupal core is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the File module/subsystem. A remote attacker could exploit this vulnerability using the file upload to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158445 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions IBM API Connect versions +-----------------+ |5.0.0.0-5.0.8.5 | +-----------------+ |2018.1-2018.4.1.3| +-----------------+ Remediation/Fixes +------------------------+-----------------+-------+---------------------------------------------------------------------------------+ |Affected Product |Addressed in VRMF|APAR |Remediation/First Fix | +------------------------+-----------------+-------+---------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect V5.0.8.6fixpack. | | | | | | | | | |Developer Portal is impacted. | |IBM API Connect | | | | |5.0.0.0-5.0.8.5 |5.0.8.6 fixpack |LI80743|Follow this link and find the APIConnect-Portal package. | | | | | | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.5&platform=All&function=all | | | | |&source=fc | +------------------------+-----------------+-------+---------------------------------------------------------------------------------+ | | | |+-----------------------------------------------------------------------------+ | | | | ||Addressed in IBM API Connect v2018.4.1.4fixpack. | | | | | || | | | | | ||Developer Portal is impacted. | | |IBM API Connect V2018.1 | | || | | |- 2018.4.1.3 |2018.4.1.4fixpack|LI80743||Follow this link and find the "portal" package appropriate for the form | | | | | ||factor of your installation: | | | | | ||http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | | ||product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.3&platform=All& | | | | | ||function=all&source=fc | | | | | |+-----------------------------------------------------------------------------+ | +------------------------+-----------------+-------+---------------------------------------------------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog IBM API Connect Support Lifecycle Policy Change History April 3, 2019: Original bulletin published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. ==================== IBM API Connect's Developer Portal is impacted by a privilege escalation vulnerability (CVE-2019-4155) Product: IBM API Connect Component: Developer Portal Software version: 2018.1-2018.4.1.3 Operating system(s): Platform Independent Reference #: 0879575 Security Bulletin Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-4155 DESCRIPTION: IBM API Connect's Developer Portal is impacted by a privilege escalation vulnerability when integrated with an OpenID Connect (OIDC) user registry. CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158544 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM API Connect version 2018.1-2018.4.1.3 Remediation/Fixes +---------------+-------------+-------+--------------------------------------------------------------------------------+ |Affected |Addressed in |APAR |Remediation/First Fix | |Product |VRMF | | | +---------------+-------------+-------+--------------------------------------------------------------------------------+ | | | |Addressed in IBM API Connect v2018.4.1.4fixpack. | | | | | | |IBM API Connect| | |Follow this link and find the appropriate 2018.4.1.4 Developer Portal package | |V2018.1 - |2018.4.1.4 |LI80678|suitable for the form factor ofyour installation. | |2018.4.1.3 |fixpack | | | | | | |http://www.ibm.com/support/fixcentral/swg/quickorderparent=ibm%7EWebSphere& | | | | |product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.3&platform=All&function= | | | | |all&source=fc | +---------------+-------------+-------+--------------------------------------------------------------------------------+ Workarounds and Mitigations None Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog IBM API Connect Support Lifecycle Policy Change History April 4, 2019: Original bulletin published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXKrWhGaOgq3Tt24GAQiROxAAiGYC0C5WQ31E6px6nlH8NdnvohSHpalJ NnKGUlWoW7oblFKBFtCqDpPJ2zawu4iG5DvzSTQCH0FFMIU8UQLLRCGMIF8T5sBD 7nx5yM3NzsqCA8P5YxYYpgEEN86KV0B71XQ5Nicl1JsV3yjXourNlOVh3lCRj/He Ls0AecgFVGDRMpp1+4GkhiuRicFZlZ2vx0qkkHdIpn+ZpouUYqkJO3HG8+hCiW2W aWoqBp7j9THRnp82PiItvx7eT/rO502AGX+hBeizm/VQcCRrMf8s3uPsSLgTHiAO OohPJ954FY8tjk4onfM+FDDKScbCUdpT0jh2IoTVf2wbmZURxhjlS6BvsQCkcpiS z4MlWuxqaZd+1KgUVl8ohIvExSpH+RQdB/ZTLN3TrpgVWoRDBvJ+I5RBkiwwyAPu tTRkAg4fw8B+9ASQ+ISP9rjR2Hn3I8qXOZ0VXjTLQpbiy/A75qUIQFThmNnjgB27 x/UoZvkvz323U37guyIc7fYirltHBKXyTZcTU2yHW8pwrY1D+PYdy3nwTeC2SuQ0 RfDriw9Mpn90lxHtaG8bQUcn8s6mrTqp66Q7nLBmi4wPMtFR3Cu0rHGRda9Prc/u LddPRYdoQyDCZEipqVxzrMHAqHrFuc+Y3SzKyYPAd/TuZgjCvfje7kwjOFt7VkgJ AZVvnalAfpQ= =XjNb -----END PGP SIGNATURE-----