-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1368
         A security vulnerability has been identified in IBM Java
                 Runtime which affects DataQuant for z/OS
                               23 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DataQuant
Publisher:         IBM
Operating System:  z/OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-2426 CVE-2018-12549 CVE-2018-12547
                   CVE-2018-11212 CVE-2018-1890 

Reference:         ASB-2019.0018
                   ESB-2019.1349
                   ESB-2019.1288
                   ESB-2019.0313
                   ESB-2019.0263
                   ESB-2019.0262

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10881488

- --------------------------BEGIN INCLUDED TEXT--------------------

A security vulnerability has been identified in IBM Java Runtime which affects
DataQuant for z/OS

Product:             DataQuant
Software version:    2.1
Operating system(s): z/OS
Reference #:         0881488

Security Bulletin

Summary

An unspecified vulnerability has been identified in IBM Java Runtime that could
affect DataQuant for z/OS.

Vulnerability Details

CVEID: CVE-2018-12547
CVSS Base Score: 9.8

DESCRIPTION:

A widely used function in the OpenJ9 JVM is vulnerable to buffer overlows.
Multiple Java Runtime components use the vulnerable code, so the issue can
manifest in a number of different ways.
The fix ensures that the buffer cannot overflow.

CVEID : CVE-2018-1890

CVSS Base Score: 5.6

DESCRIPTION:

On the AIX platform, the IBM Java 8 executable contains inappropriate absolute
RPATHs, which may allow local users to inject code into JVM processes launched
by other users with higher privileges.
The fix removes the unsafe RPATHs.

CVEID : CVE-2018-12549

CVSS Base Score: 9.8

DESCRIPTION:

A flaw in the OpenJ9 JIT compiler allows unprivileged code to access to access
sensitive methods in the internal class sun.misc.Unsafe, which allows the
untrusted code to elevate its privileges.
The fix prevents optimized unprivileged code from accessing sun.misc.Unsafe.

CVEID: CVE-2019-2426

CVSS Base Score: 3.7

DESCRIPTION:

The transparent NTLM authentication implementation in
java.net.HttpURLConnection exposes the user's NTLM credentials to any server
that requests them.
The fix disables transparent NTLM authentication by default. A new system
property (jdk.http.ntlm.transparentAuth) allows the user to enable transparent
NTLM authentication for all hosts or trusted hosts only.

CVEID : CVE-2018-11212

CVSS Base Score: 5.3

DESCRIPTION:

A flaw in the Java runtime's JPEG parser allows maliciously crafted JPEG data
to inflict a denial-of-service by triggering a JVM crash.
The fix ensures that the bad JPEG data is handled gracefully.

Affected Products and Versions

+-------------------------------+
|Principal Products and Versions|
+-------------------------------+
|DataQuant for z/OS 2.1.0       |
+-------------------------------+


Remediation/Fixes

Steps to update Java for IBM DataQuant:

1. Close DataQuant.

2. Download JRE 8.0.5.30 version from IBM Java download portal.

3. Replace jre folder at the install directory location > C:\Program Files
(x86)\IBM\IBM DataQuant\DataQuant for Workstation. Replace with contents in
step # 2.

4. Download eclipse oxygen from https://www.eclipse.org/downloads/download.php
file=/technology/epp/downloads/release/oxygen/3a/
eclipse-jee-oxygen-3a-win32-x86_64.zip

5. Extract the eclipse oxygen and copy the plugin -
org.apache.jasper.glassfish_2.2.2.v201501141630.jar from
eclipse-jee-oxygen-3a-win32-x86_64\eclipse\plugins

6. Copy org.apache.jasper.glassfish_2.2.2.v201501141630.jar in the folder where
DataQuant is installed - C:\Program Files (x86)\IBM\IBM DataQuant\DataQuant for
Workstation\plugins

7. Delete the older plugin org.apache.jasper.glassfish_2.2.2.v201205150955.jar
from the DataQuant install directory

Workarounds and Mitigations

None

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXL6hzGaOgq3Tt24GAQimNhAAhuTQGqSxYOYiE6IAL7XUAtZGpCQxMMbJ
lQEsoyp1UU7FaV4CDs/8kKaKuoZAD+rjx4oGMF6HrFK8HYkQXd5L4muei2XxKuOj
5qKkTEy5CLlSsq9gwGjF9DmZ2NPDyw+kur3Zj8hdSLI5QWGq94lEdgWsylmNSUbq
ZM556RP8YaXW79SM+oGTbznunXqlAKO8jW84uWizvnkCnSPoDwcfSm2QXuQ6EIX5
Cwm2pi36rTJ57y7hHKTEJP49W7Z9vOhuXP0+pOuVPLFuh1VG2S+PSPYsBKYgvM7Y
tcaeYoDMY7SykEqrmOIhhymgodmC97G+z9c/+IpUqLceEJA395YzbIFChVnBwL9H
ehYuQ92cXlKB8xY0+wIrlL7A+3N9+96+LYwN4HTx/Gl3WzRJ4jr/WIc+cRfd8Jtg
UQFYhByGvqb4Y3yO2wgk29Tw5oJXVlLKDMw/5lTfG086/2Ne5OfEBJOCVq8U2ilW
09guWwJREI+un6WdE0aaL5TjIEOAuVbU4KAZRzhDPoQ1+xNe2t+RPPWUlNKDfQMY
Iy/X9J7alM57Z/R34xC4Y/W1qWWPkGOUPq8pH7ru+3obzJ5nOh4QS7k+LnMXp6br
BKhoAPIipW7miSJcg+ZANAv5pjpRrJc7p58GbztMneqB8qz/Hi0gBsRYzJtZ9RwO
u1QX1l7cihU=
=sGzj
-----END PGP SIGNATURE-----