Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1349
Multiple vulnerabilities in IBM Java SDK affect AIX
18 April 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AIX family
Publisher: IBM
Operating System: AIX
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-2449 CVE-2019-2426 CVE-2019-2422
CVE-2018-12549 CVE-2018-12547 CVE-2018-11212
CVE-2018-1890
Reference: ESB-2019.0698
ESB-2019.0313
ESB-2019.0277
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10878376
http://www.ibm.com/support/docview.wss?uid=ibm10878172
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in IBM Java SDK affect AIX
Product: AIX family
Software version: 7.1, 7.2
Operating system(s): AIX
Reference #: 0878376
Security Bulletin
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions
7, 7.1, 8 that are used by AIX. These issues were disclosed as part of the IBM
Java SDK updates in January 2019.
Vulnerability Details
CVEID: CVE-2018-1890
DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform
uses absolute RPATHs which may facilitate code injection and privilege
elevation by local users.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152081 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)
CVEID: CVE-2018-12549
DESCRIPTION: Eclipse OpenJ9 could allow a remote attacker to execute arbitrary
code on the system, caused by the failure to omit a null check on the receiver
object of an Unsafe call when accelerating it. An attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157513 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-12547
DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by
improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions.
By sending an overly long argument, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157512 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-2422
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Libraries component could allow an unauthenticated attacker to obtain
sensitive information resulting in a low confidentiality impact using unknown
attack vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155741 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2449
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Deployment component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155766 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2426
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java
SE Networking component could allow an unauthenticated attacker to obtain
sensitive information resulting in a low confidentiality impact using unknown
attack vectors.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155744 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-11212
DESCRIPTION: libjpeg is vulnerable to a denial of service, caused by
divide-by-zero error in the alloc_sarray function in jmemmgr.c. By persuading a
victim to open a specially-crafted file, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
143429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
AIX 7.1, 7.2
The following fileset levels (VRMF) are vulnerable, if the respective Java
version is installed:
For Java7: Less than 7.0.0.640
For Java7.1: Less than 7.1.0.440
For Java8: Less than 8.0.0.530
Note: To find out whether the affected Java filesets are installed on your
systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i java
Remediation/Fixes
Note: Recommended remediation is to always install the most recent Java package
available for the respective Java version.
IBM SDK, Java Technology Edition, Version 7 Service Refresh 10 Fix Pack 40 and
subsequent releases:
32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/
Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=
AIX+32-bit,+pSeries&function=all
64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/
Java+Standard+Edition+%28Java+SE%29&release=7.0.0.0&platform=
AIX+64-bit,+pSeries&function=all
IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 4 Fix Pack 40 and
subsequent releases:
32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/
Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=
AIX+32-bit,+pSeries&function=all
64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/
Java+Standard+Edition+%28Java+SE%29&release=7.1.0.0&platform=
AIX+64-bit,+pSeries&function=all
IBM SDK, Java Technology Edition, Version 8 Service Refresh 5 Fix Pack 30 and
subsequent releases:
32-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/
Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=
AIX+32-bit,+pSeries&function=all
64-bit: https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/
Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=
AIX+64-bit,+pSeries&function=all
Workarounds and Mitigations
None.
IBM Java SDK Security Bulletin
AIX Security Bulletin (ASCII format)
Acknowledgement
None.
- --------------------------------------------------------------------------------
Vulnerability in OpenSSL affects AIX (CVE-2019-1559)
Product: AIX family
Software version: 7.1, 7.2
Operating system(s): AIX
Reference #: 0878172
Security Bulletin
Summary
There is a vulnerability in OpenSSL used by AIX.
Vulnerability Details
CVEID: CVE-2019-1559
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by the failure to immediately close the TCP connection
after the hosts encounter a zero-length record with valid padding. An attacker
could exploit this vulnerability using a 0-byte record padding-oracle attack to
decrypt traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Affected Products and Versions
AIX 7.1, 7.2
VIOS 2.2.x
The following fileset levels are vulnerable:
key_fileset = osrcaix
Fileset Lower Level Upper Level KEY
- ------------------------------------------------------
openssl.base 1.0.2.500 1.0.2.1601 key_w_fs
openssl.base 20.13.102.1000 20.16.102.1600 key_w_fs
Note:
A. 0.9.8, 1.0.1 OpenSSL versions are out-of-support. Customers are advised to
upgrade to currently supported OpenSSL 1.0.2 version.
B. Latest level of OpenSSL fileset is available from the web download site:
https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.dosource=aixbp&S_PKG=
openssl
To find out whether the affected filesets are installed on your systems, refer
to the lslpp command found in the AIX user's guide.
Example: lslpp -L | grep -i openssl.base
Remediation/Fixes
A. FIXES
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix30.tar
http://aix.software.ibm.com/aix/efixes/security/openssl_fix30.tar
https://aix.software.ibm.com/aix/efixes/security/openssl_fix30.tar
The links above are to a tar file containing this signed advisory, fix
packages, and OpenSSL signatures for each package. The fixes below include
prerequisite checking. This will enforce the correct mapping between the fixes
and AIX Technology Levels.
Note that the tar file contains Interim fixes that are based on OpenSSL
version, and AIX OpenSSL fixes are cumulative. You must be on the 'prereq for
installation' level before applying the interim fix. This may require
installing a new level(prereq version) first.
AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY
- --------------------------------------------------------------------------------------------
5.3, 6.1, 7.1, 7.2 102pa_mfix.190318.epkg.Z openssl.base(1.0.2.1601) key_w_fix
5.3, 6.1, 7.1, 7.2 fips_102pa.190318.epkg.Z openssl.base(20.16.102.1600)
key_w_fix
VIOS Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY
- --------------------------------------------------------------------------------------------
2.2.x 102pa_mfix.190318.epkg.Z openssl.base(1.0.2.1601) key_w_fix
2.2.x fips_102pa.190318.epkg.Z openssl.base(20.16.102.1600) key_w_fix
To extract the fixes from the tar file:
tar xvf openssl_fix30.tar
cd openssl_fix30
Verify you have retrieved the fixes intact:
The checksums below were generated using the "openssl dgst -sha256 file"
command as the following:
openssl dgst -sha256 filename KEY
- -----------------------------------------------------------------------------------------------------
cf3418b3cb99e678c47e334460782e4e4eef0a67a32b10612cd4709006ebf4e0
102pa_mfix.190318.epkg.Z key_w_csum
4de4c7534856d1192cf7f80bb5ca0bef8a8b514f78afffbcdf8397959f55163e
fips_102pa.190318.epkg.Z key_w_csum
These sums should match exactly. The OpenSSL signatures in the tar file and on
this advisory can also be used to verify the integrity of the fixes. If the
sums or signatures cannot be confirmed, contact IBM AIX Support at https://
ibm.com/support/ and describe the discrepancy.
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig
<advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory30.asc.sig
https://aix.software.ibm.com/aix/efixes/security/openssl_advisory30.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory30.asc.sig
B. FIX AND INTERIM FIX INSTALLATION
Interim fixes have had limited functional and regression testing but not the
full regression testing that takes place for Service Packs; however, IBM does
fully support them. Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
Workarounds and Mitigations
None.
AIX Security Bulletin (ASCII format)
Acknowledgement
None.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXLftTmaOgq3Tt24GAQg5XhAAvvE55NreCUjctKDwNPVTik/MeCbwiOia
x33aBQ6pg4mBicEoT79NG9GqV8KtYNT0i+P5j32Pbfjn5By1Zdrxer9EQIBTOpMS
OSXNOglRZzlKi3VEJM6ooZtXP0QgeAs2/6IX+KrmaX6dWmeoS7kFaFVjRGRWR2VO
DS81X876GBSpw33ZWuE8M3rvQ8DTOedNQ9d2oFqyUHHaPDVIHQCvN41xe61Dmc0u
ArkB3QCZt60Wg6dfEIZt7Djy9OLUIYCJGe40vSU8Yy+kTR9mRyeAbwQC5Am+BKdm
dKRxfbZFWPtobkUwe2PLA6KiwCRlOY/eVhXKFKB6eV+mtdAHwVWmvTji217CA0Ba
SAjLBvq1V40hGmftphxgHIyPE/V9enhqIUl9UwmorvisKalKqhM253evE5+08hE4
4BJlGBeq/PL+fh2sM1Qbk6lRDodwlf0I16lGg/4ArzNIS/WTrBzLIkfjo+X84tQv
K8AGAvtqFEqr3kCW3YVEBcDLsrFnCY/D/CC6FmtrFsQfMuTGia+3gqZcASSBlTAY
hGdUPBebOsmPTMmbGl2PEWx9DoxR9/C9gziUMyXNx1aKNkV4VwhfmA0/MtTUcCBi
SHltw2kt6ExhAL7mubRJ/ptyURuz+dyVlMeuQwltAShHdiIQKwWoqWrB6W0wDeOo
Yhg1tFUnudU=
=UrUN
-----END PGP SIGNATURE-----