Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1373
A vulnerability in IBM WebSphere Application Server affects IBM Spectrum
Scale packaged in IBM Elastic Storage Server (CVE-2018-1901)
23 April 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Elastic Storage Server
Publisher: IBM
Operating System: Linux variants
Impact/Access: Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1901
Reference: ESB-2019.1243
ESB-2019.1142
ESB-2019.0727
ESB-2018.3895
ESB-2018.3872
ESB-2018.3851
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10881039
- --------------------------BEGIN INCLUDED TEXT--------------------
A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale
packaged in IBM Elastic Storage Server (CVE-2018-1901)
Product: IBM Elastic Storage Server
Software version: All Versions
Operating system(s): Linux
Reference #: 0881039
Security Bulletin
Summary
There is a vulnerability in IBM WebSphere Application Server, used by IBM
Spectrum Scale. This issue allow a remote attacker to temporarily gain elevated
privileges on the system.
Vulnerability Details
CVEID: CVE-2018-1901
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to
temporarily gain elevated privileges on the system, caused by incorrect cached
value being used.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152530 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
The Elastic Storage Server 5.3 thru 5.3.2.1
The Elastic Storage Server 5.0.0 thru 5.2.5
The Elastic Storage Server 4.5.0 thru 4.6.0
The Elastic Storage Server 4.0.0 thru 4.0.6
Remediation/Fixes
For IBM Elastic Storage Server V5.0.0. thru 5.3.2.1, apply V5.3.3.0 available
from FixCentral at:
https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.3.0&platform=All&function=all
For IBM Elastic Storage Server V5.0.0. thru 5.2.5.0, apply V5.2.6 available
from FixCentral at:
https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.2.0&platform=All&function=all
If you are unable to upgrade to ESS 5.3.3.0 or 5.2.6, please contact IBM
Service to obtain an efix:
- - For IBM Elastic Storage Server 5.3.0.0-5.3.1.1, reference APAR IJ13422
- - For IBM Elastic Storage Server 5.0.0- 5.2.4.0, reference APAR IJ10573
- - For IBM Elastic Storage Server 4.0.0 - 4.6.0, reference APAR IJ13398
To contact IBM Service, see http://www.ibm.com/planetwide/
Workarounds and Mitigations
None
Change History
19 April 2019 : Original version published.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXL6nKGaOgq3Tt24GAQhBQQ//casfy/VAnZf7Lqk8SPA9UbMVhOFOOuUU
g+P8yv3EipmShkLb5aXAOS6SCG17MVRCm6AJwkDCoaEYPPqpTwJH6jz3OLJKqBDL
/hmhN/hqlOTuZL9jDxtDX7fWUunYUP8B7SakM9n5CN4C4c0DcnqgnVcBbsgVVL68
0TWc3a+zAQD22JG2QxwkkoLEGELX3H9n+Xk72H1NqxLgqxMlD+OGtnGPeYB7o1GK
29prb7hy72x6+t7bhBAuAeXWZO3i4gXxMIrTeHvnY5y9RD5K9qV6zu5K1xDR9bsV
8IMdUhp3zP9zhNPNf7gSKo1F28qyQBetzeUoOmkef8OmFXYrkQJJHkF65DyAEgl8
QIFPGgD6MasTNsmZrfXoxegHwTdGjHqaWQjDEUg9uqL21rfOJjJ5h7Rhc/ekZVlD
EqkV2cmzbpWc7ZrwZmYv6/Cbeb0fmzx+HoUtvjNezHYaRhedTp1xe8Ow1pC2tuub
IsoamU7W7UlrCD/XNMtzuvmnGxQxyTO3XuaS17UJ6y6ybZVCRx87TSR3QkyI5PjO
fju7ZY9JI7TKMee+JsgfFEvyNJ7X6K6MUaeOJSUz0p1+6hcqVF7uvu2WgAN8cD8u
o2Ukvi7vo0hAIdhLu7CbEE3Hv1DydkLMGMhRtnGK8YM9zsIs5ZwHwIIiYhSBJM/C
oJdLFHQMEvE=
=hqry
-----END PGP SIGNATURE-----