-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1559
          Java Vulnerability Affects IBM Sterling Connect:Direct
           Browser User Interface (CVE-2018-1890, CVE-2018-3180)
                                6 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Sterling Connect:Direct Browser User Interface
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Increased Privileges           -- Existing Account            
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3180 CVE-2018-1890 

Reference:         ESB-2019.1547
                   ESB-2019.1541
                   ASB-2018.0290

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10881526

- --------------------------BEGIN INCLUDED TEXT--------------------

Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface
(CVE-2018-1890, CVE-2018-3180)

Product:             Sterling Connect:Direct Browser User Interface
Software version:    1.5.0.2
Operating system(s): Platform Independent
Reference #:         0881526

Security Bulletin

Summary

There is a vulnerability in IBM Runtime Environment Java Technology Edition,
Version 8 that is used by IBM Sterling Connect:Direct Browser User Interface.
These issues were disclosed as part of the IBM Java SDK updates in Nov 2018 and
March 2019

Vulnerability Details

CVE-ID: CVE-2018-3180
Description:A flaw in the JSSE component means that TLS connections do not
always check the validity of the hostname on the server-side certificate.
The fix ensures that server-side certificates are checked correctly.
CVSS Base Score: 5.6
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/151497 for more
information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVE-ID: CVE-2018-1890
Description:On the AIX platform, the IBM Java 8 executable contains
inappropriate absolute RPATHs, which may
allow local users to inject code into JVM processes launched by other users
with higher privileges
CVSS Base Score: 5.6
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/152081 for more
information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )

Affected Products and Versions

Connect:Direct Browser User Interface 1.5.0.2 through 1.5.0.2 iFix23

Remediation/Fixes

Sterling Connect:Direct Browser User
Interface   1.5.0.2     iFix24   Fix Central - 1.5.0.2

Workarounds and Mitigations

None

Change History

18 April 2019: Original document published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXM+S1maOgq3Tt24GAQgvPxAA2uDm+omWouLQW2qN0Sss52v+RyaPtPJJ
haPNrBYKHxMfMu+MOcInqCD/grT9qmE/o1fZmmxOznJJSdc4E8lCg21Qa28Bfcme
9k6KhMejPCHRWVgnY9XO0ql4VB/ZJPEyyDwGLuHzuV1t8ucy/KC4bv54dM8/nIXJ
vYVDIKPv73Db+EbAUWwcX+0koH17uCUYPZ3l4riAFFdwkzyhbgu/CGDcVdzxHyUl
qBn4VNZU9xz9YYi9yl6tqyzFmGzYo03kPYJyUsiI+bjdouGtW0AuEpr/TqZ7Sqyd
QbhoRy4s/fqqvPw08IGiHryGGItZKRFNqhWxKl5np47TGpIx7koMhAnTAV8pIu+p
oS0hQxCjoMoDeRkMrQjV0JdbHmcyZdoI+MgR/U06wUls1nd6OhMfhZ/r+hBHcYo2
wpgHs8N048Fu4O8zFX2NmcP3B/KkTvAlMKeKDLvF1zwjqtpzlcDdTMjdwiCqNdrt
W45FqyXkPS5JTU5of56QJKeHeFSjgDFqI467+i73WID6rdQCkJdjJvqN8uUZkRJY
iNNaQYWx8MzJPHGGGFSgrzmU6uDXGRqyTTb/iIcAJ544UkhR1m9EpLdU2kn/0B8Y
86mvH8VPC9HlOeib9M4W48jXegr8bSaN5lak6ok+YmZnYLO9NthF0xl1XWXvvrYD
8h0qo/J5cc8=
=5nXg
-----END PGP SIGNATURE-----