Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1884 Multiple vulnerabilities in IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 27 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Spectrum Control Standard Edition Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-4138 CVE-2019-4137 CVE-2019-4046 CVE-2019-2426 CVE-2019-1559 CVE-2018-12547 CVE-2018-1902 CVE-2018-1890 Reference: ASB-2019.0147 ASB-2019.0128 ASB-2019.0120 ASB-2019.0088 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10883086 http://www.ibm.com/support/docview.wss?uid=ibm10880905 http://www.ibm.com/support/docview.wss?uid=ibm10881003 http://www.ibm.com/support/docview.wss?uid=ibm10879903 http://www.ibm.com/support/docview.wss?uid=ibm10880375 Comment: This bulletin contains five (5) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Product: IBM Spectrum Control Standard Edition Software version: 5.2.17.1, 5.2.17.2, 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.3.0, 5.3.1, 5.3.2 Operating system(s): AIX, Linux, Windows Reference #: 0883086 Security Bulletin Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition that is shipped and used by IBM Spectrum Control (formerly Tivoli Storage Productivity Center). These issues were disclosed as part of the IBM Java SDK updates for January 2019. Vulnerability Details CVEID: CVE-2019-2426 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155744 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-12547 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf()and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157512 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-1890 DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. CVSS Base Score: 5.6 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152081 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L) Affected Products and Versions +--------------------------------------+-----------------+ |Affected Product |Affected Versions| +--------------------------------------+-----------------+ |IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.2.8 - 5.2.17.2 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.3.0 - 5.3.2 | +--------------------------------------+-----------------+ The versions listed above apply to all licensed offerings of IBM Spectrum Control. Remediation/Fixes The solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. +-----------+------------------+------------------------------------------------------------------------------------------+ |Release |First Fixing |Link to Fix/Fix Availability Target | | |VRM Level | | +-----------+------------------+------------------------------------------------------------------------------------------+ |5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +-----------+------------------+------------------------------------------------------------------------------------------+ |5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +-----------+------------------+------------------------------------------------------------------------------------------+ Note: It is always recommended to have a current backup before applying any update procedure. Workarounds and Mitigations None Change History 23 May 2019 - original version published Cross reference information Product Component Platform Version Edition Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3, Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1 Center Windows - -------------------------------------------------------------------------------------- OpenSSL vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-1559) Product: IBM Spectrum Control Standard Edition Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1 Operating system(s): AIX, Linux, Windows Reference #: 0880905 Security Bulletin Summary An OpenSSL vulnerability was disclosed on February 26, 2019 by the OpenSSL Project. OpenSSL, used by IBM Spectrum Control (formerly Tivoli Storage Productivity Center), has addressed the applicable CVE. Vulnerability Details CVE-ID: CVE-2019-1559 Description: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic. CVSS Base Score: 5.8 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for more information CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) Affected Products and Versions +--------------------------------------+-----------------+ |Affected Product |Affected Versions| +--------------------------------------+-----------------+ |IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.2.8 - 5.2.17.2 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.3.0 - 5.3.2 | +--------------------------------------+-----------------+ Remediation/Fixes The solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. +----------+-----------------+------------------------------------------------------------------------------------+ |Release |First Fixing |Link to Fix/Fix Availability Target | | |VRM Level | | +----------+-----------------+------------------------------------------------------------------------------------+ |5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ |5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ Note: It is always recommended to have a current backup before applying any update procedure. Workarounds and Mitigations None. Change History 23 May 2019 - original version published. Cross reference information Product Component Platform Version Edition Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3, Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1 Center Windows - -------------------------------------------------------------------------------------- Potential Spoofing vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1902) Product: IBM Spectrum Control Standard Edition Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1 Operating system(s): AIX, Linux, Windows Reference #: 0881003 Security Bulletin Summary There is a potential spoofing vulnerability in IBM WebSphere Application Server which affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center). Vulnerability Details CVEID: CVE-2018-1902 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to spoof connection information which could be used to launch further attacks against the system. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152531 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +--------------------------------------+-----------------+ |Affected Product |Affected Versions| +--------------------------------------+-----------------+ |IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.2.8 - 5.2.17.2 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.3.0 - 5.3.2 | +--------------------------------------+-----------------+ The versions listed above apply to all licensed offerings of IBM Spectrum Control. Remediation/Fixes The solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. +----------+-----------------+------------------------------------------------------------------------------------+ |Release |First Fixing |Link to Fix/Fix Availability Target | | |VRM Level | | +----------+-----------------+------------------------------------------------------------------------------------+ |5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ |5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ Note: It is always recommended to have a current backup before applying any update procedure. Workarounds and Mitigations None Change History 23 May 2019 - original version published Cross reference information Product Component Platform Version Edition Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3, Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1 Center Windows - -------------------------------------------------------------------------------------- Potential Spoofing vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1902) Product: IBM Spectrum Control Standard Edition Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1 Operating system(s): AIX, Linux, Windows Reference #: 0881003 Security Bulletin Summary There is a potential spoofing vulnerability in IBM WebSphere Application Server which affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center). Vulnerability Details CVEID: CVE-2018-1902 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to spoof connection information which could be used to launch further attacks against the system. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152531 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +--------------------------------------+-----------------+ |Affected Product |Affected Versions| +--------------------------------------+-----------------+ |IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.2.8 - 5.2.17.2 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.3.0 - 5.3.2 | +--------------------------------------+-----------------+ The versions listed above apply to all licensed offerings of IBM Spectrum Control. Remediation/Fixes The solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. +----------+-----------------+------------------------------------------------------------------------------------+ |Release |First Fixing |Link to Fix/Fix Availability Target | | |VRM Level | | +----------+-----------------+------------------------------------------------------------------------------------+ |5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ |5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ Note: It is always recommended to have a current backup before applying any update procedure. Workarounds and Mitigations None Change History 23 May 2019 - original version published Cross reference information Product Component Platform Version Edition Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3, Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1 Center Windows - -------------------------------------------------------------------------------------- Potential denial of service vulnerability in WebSphere Application Server which affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4046) Product: IBM Spectrum Control Standard Edition Software version: 5.2.8, 5.2.10.1, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.1 Operating system(s): AIX, Linux, Windows Reference #: 0879903 Security Bulletin Summary There is a potential denial of service in WebSphere Application Server which affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) Vulnerability Details CVEID: CVE-2019-4046 DESCRIPTION: IBM WebSphere Application Server is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156242 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions +--------------------------------------+-----------------+ |Affected Product |Affected Versions| +--------------------------------------+-----------------+ |IBM Tivoli Storage Productivity Center|5.2.0 - 5.2.7.1 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.2.8 - 5.2.17.2 | +--------------------------------------+-----------------+ |IBM Spectrum Control |5.3.0 - 5.3.2 | +--------------------------------------+-----------------+ The versions listed above apply to all licensed offerings of IBM Spectrum Control. Remediation/Fixes The solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. +----------+-----------------+------------------------------------------------------------------------------------+ |Release |First Fixing |Link to Fix/Fix Availability Target | | |VRM Level | | +----------+-----------------+------------------------------------------------------------------------------------+ |5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ |5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ Note: It is always recommended to have a current backup before applying any update procedure. Workarounds and Mitigations None Change History 23 May 2019 - original version published Cross reference information Product Component Platform Version Edition Tivoli Storage AIX, 5.2.0, 5.2.1, 5.2.2, 5.2.3, Productivity Linux, 5.2.4, 5.2.4.1, 5.2.6, 5.2.7.1 Center Windows - -------------------------------------------------------------------------------------- Cross-site scripting and failure to enforce HTTP Strict Transport Security vulnerabilities in IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4137, CVE-2019-4138) Product: IBM Spectrum Control Standard Edition Software version: 5.2.13, 5.2.14, 5.2.15, 5.2.15.2, 5.2.16, 5.2.17.0, 5.2.17.1, 5.2.17.2, 5.3.0.1, 5.3.1,5.3.2 Operating system(s): AIX, Linux, Windows Reference #: 0880375 Security Bulletin Summary IBM Spectrum Control (formerly Tivoli Storage Productivity Center) is vulnerable to cross-site scripting and failure to enforce HTTP Strict Transport Security. Vulnerability Details CVEID: CVE-2019-4137 DESCRIPTION: IBM Tivoli Storage Productivity Center is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158333 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-4138 DESCRIPTION: IBM Tivoli Storage Productivity Center could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158334 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions +--------------------+-----------------+ |IBM Spectrum Control|5.2.13 - 5.2.17.2| +--------------------+-----------------+ |IBM Spectrum Control|5.3.0 - 5.3.2 | +--------------------+-----------------+ The versions listed above apply to all licensed offerings of IBM Spectrum Control. Remediation/Fixes The solution is to apply an appropriate IBM Spectrum Control fix. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. +----------+-----------------+------------------------------------------------------------------------------------+ |Release |First Fixing |Link to Fix/Fix Availability Target | | |VRM Level | | +----------+-----------------+------------------------------------------------------------------------------------+ |5.2 |5.2.17.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ |5.3 |5.3.3 |http://www.ibm.com/support/docview.wssuid=swg21320822#53_0 | +----------+-----------------+------------------------------------------------------------------------------------+ Note: It is always recommended to have a current backup before applying any update procedure. Workarounds and Mitigations None Change History 23 May 2019 - original version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXOtfOGaOgq3Tt24GAQiuvBAAxu4d34a9RzeRizLKFTWz/APuNPC5lOxd SnWKiFKRwQPvKWPVlTS13N8NqdBGPoO3XN/+9H0jMyZv62TSL5XFyiq3Rv79WqLN atCmP0Q6VAEQ4vaySc/srez6lPlDGqsPoKKm50G/OEm0SK+ibImT94DalZFGAWyX sSgwfllShMPNRIlRgDJFdLHEaSLvgivSxV8ViQmreUyD+Fm1YMeE1l5YRxj8kPNH R4fMjZV2+mQTbF7ueVug8Fv7uSJeoWNPPUSmUa5kQs5/WJBfmcWuG6pZy5uxySpN bCyNDZF3XY7FiiMUFYgIBjwygOVhFQ49BVbcCXDTUDZiq3nzsl9YMOsGKT4zxkMA KWhFZCJuvvYJinx9JlHuqzyNlzdTHWVzmei1+EamCuALIapW+55+UvDN/B4+2SCv 7D0dqWxjqadw6RJkTejIPZChB1Gm7CGkCTYJSlJ6OYhexQUW2R7eeWD0bArbgzLk QSPA1RkEvMy8xdeWHp96VFD0QukRlVL2nKu83PlMwx7Af0k+nnE+Xu5exfwsBDa7 wplK42jid+HpmfAvkBwKDupZoSKVeTef/Z42UM1MUIo1fM5ZwNz0zOvwGIHi0y/O u3yE9oZwcts+Brr51L+eHxivRASHAhhQ+UcaXv+TMF5C2cAVhD8kyIHuGy3kLfEq QgfJvHovr0c= =R/5X -----END PGP SIGNATURE-----