Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2568 A vulnerability in IBM InfoSphere Data Flow Designer could expose sensitive information 12 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM InfoSphere Information Server Publisher: IBM Operating System: AIX Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Console/Physical Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-4404 CVE-2019-4373 CVE-2019-4372 CVE-2019-4370 CVE-2017-3164 CVE-2015-5211 CVE-2015-3192 CVE-2014-0114 CVE-2012-2098 Reference: ASB-2019.0123 ASB-2017.0164 ASB-2017.0053 ESB-2013.1625 ESB-2013.1240 ESB-2013.1133 Original Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10888009 https://www.ibm.com/support/docview.wss?uid=ibm10887973 https://www.ibm.com/support/docview.wss?uid=ibm10887999 https://www.ibm.com/support/docview.wss?uid=ibm10888007 https://www.ibm.com/support/docview.wss?uid=ibm10887113 https://www.ibm.com/support/docview.wss?uid=ibm10887119 https://www.ibm.com/support/docview.wss?uid=ibm10957873 https://www.ibm.com/support/docview.wss?uid=ibm10887121 Comment: This bulletin contains eight (8) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- A vulnerability in IBM InfoSphere Data Flow Designer could expose sensitive information Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.7 Operating system(s): AIX, Linux, Windows Reference #: 0888009 Modified date: 11 July 2019 Summary A vulnerability that exposes sensitive information was addressed by IBM InfoSphere Data Flow Designer. Vulnerability Details CVEID: CVE-2019-4404 DESCRIPTION: IBM InfoSphere Information Server could disclose highly sensitive information to a user with physical access to the system. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162323 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions The following products, running on all supported platforms, are affected: IBM InfoSphere Data Flow Designer: version 11.7 IBM InfoSphere Information Server on Cloud: version 11.7 Remediation/Fixes Product VRMF APAR Remediation/First Fix InfoSphere Data Flow 11.7 JR61219 --Apply InfoSphere Information Server version 11.7.1.0 Designer, Information Server --Apply IBM InfoSphere Information Server 11.7.1.0 on Cloud Service Pack 1 Acknowledgement None Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- IBM InfoSphere Information Server components are vulnerable to phishing attacks Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.7 Operating system(s): AIX, Linux, Windows Reference #: 0887973 Modified date: 11 July 2019 Summary A vulnerability to phishing attacks was addressed by IBM InfoSphere Information Server Enterprise Search, Information Analyzer and Information Governance Catalog. Vulnerability Details CVEID: CVE-2019-4370 DESCRIPTION: IBM InfoSphere Information Server could allow a local attacker to modify the opening page and conduct phishing atacks. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 161809 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) Affected Products and Versions The following products, running on all supported platforms, are affected: IBM InfoSphere Information Server Enterprise Search: version 11.7 IBM InfoSphere Information Analyzer : version 11.7 IBM InfoSphere Information Governance Catalog: version 11.7 IBM InfoSphere Information Server on Cloud: version 11.7 Remediation/Fixes InfoSphere Information Server 11.7 JR61057 --Apply IBM InfoSphere Information Server version Enterprise Search, 11.7.1.0 Information Analyzer, --Apply IBM InfoSphere Information Server 11.7.1.0 Information Governance Service Pack 1 Catalog, Information Server on Cloud Acknowledgement None Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- IBM InfoSphere Information Server is affected by a Cross-site scripting vulnerability Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.3, 11.5, 11.7 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 0887999 Modified date: 11 July 2019 Summary A Cross-site scripting vulnerability was addressed by IBM InfoSphere Information Server Enterprise Search, Information Analyzer and Information Governance Catalog. Vulnerability Details CVEID: CVE-2019-4372 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162074 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions The following products, running on all supported platforms, are affected: IBM InfoSphere Information Server Enterprise Search: version 11.7 IBM InfoSphere Information Analyzer : version 11.7 IBM InfoSphere Information Governance Catalog: version 11.7 IBM InfoSphere QualityStage : versions 11.3, 11.5, 11.7 IBM InfoSphere Information Server on Cloud: versions 11.5, 11.7 Remediation/Fixes Product VRMF APAR Remediation/First Fix InfoSphere Information Server 11.7 JR61058 --Apply InfoSphere Information Server version 11.7.1.0 Enterprise Search, --Apply IBM InfoSphere Information Server 11.7.1.0 Information Analyzer, Service Pack 1 Information Governance Catalog, QualityStage, --Users of InfoSphere QualityStage, contact IBM Customer Information Server on Cloud Support InfoSphere QualityStage, 11.5 JR61058 --Users of InfoSphere QualityStage, contact IBM Customer Information Server on Cloud Support InfoSphere QualityStage 11.3 JR61058 --Users of InfoSphere QualityStage, contact IBM Customer Support Acknowledgement None Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- IBM InfoSphere Information Server is affected by a Reflected cross-site scripting vulnerability Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.3, 11.5, 11.7 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 0888007 Modified date: 11 July 2019 Summary A Reflected cross-site scripting vulnerability was addressed by IBM InfoSphere Information Server Enterprise Search, Information Analyzer and Information Governance Catalog. Vulnerability Details CVEID: CVE-2019-4373 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162075 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions The following products, running on all supported platforms, are affected: IBM InfoSphere Information Server Enterprise Search: version 11.7 IBM InfoSphere Information Analyzer : version 11.7 IBM InfoSphere Information Governance Catalog: version 11.7 IBM InfoSphere QualityStage : versions 11.3, 11.5, 11.7 IBM InfoSphere Information Server on Cloud: versions 11.5, 11.7 Remediation/Fixes Product VRMF APAR Remediation/First Fix InfoSphere Information Server 11.7 JR61059 --Apply InfoSphere Information Server version 11.7.1.0 Enterprise Search, --Apply IBM InfoSphere Information Server 11.7.1.0 Information Analyzer, Service Pack 1 Information Governance Catalog, QualityStage, --Users of InfoSphere QualityStage, contact IBM Customer Information Server on Cloud Support InfoSphere QualityStage, 11.5 JR61059 --Users of InfoSphere QualityStage, contact IBM Customer Information Server on Cloud Support InfoSphere QualityStage 11.3 JR61059 --Users of InfoSphere QualityStage, contact IBM Customer Support Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in Apache Ant affects IBM InfoSphere Information Server Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.3, 11.5, 11.7 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 0887113 Modified date: 11 July 2019 Summary A vulnerability in Apache Ant was addressed by IBM InfoSphere Information Server. Vulnerability Details CVEID: CVE-2012-2098 DESCRIPTION: Apache Commons Compress and Apache Ant are vulnerable to a denial of service, caused by an error when using bzip2 compression to compress files. By passing specially-crafted input to the BZip2CompressorOutputStream class, a remote attacker could exploit this vulnerability to consume all available resources. CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 75857 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Affected Products and Versions The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server : versions 11.3, 11.5, 11.7 Remediation/Fixes +-----------+---------+---------+-----------------------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere |11.7 |JR60963 |--Apply IBM InfoSphere Information Server | |Information| | |version 11.7.1.0 | |Server, | | |--Apply IBM InfoSphere Information Server | |Information| | |11.7.1.0 Service Pack 1 | |Server on | | | | |Cloud | | | | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere | | | | |Information| | | | |Server, |11.5 |JR60963 |--Contact IBM Customer Support | |Information| | | | |Server on | | | | |Cloud | | | | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere | | |--Upgrade to a new release where the issue has | |Information|11.3 |JR60963 |been addressed | |Server | | | | +-----------+---------+---------+-----------------------------------------------+ Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in Apache Commons BeanUtils affects IBM InfoSphere Information Server Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.3, 11.5, 11.7 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 0887119 Modified date: 11 July 2019 Summary A vulnerability in Apache Commons BeanUtils was addressed by IBM InfoSphere Information Server. Vulnerability Details CVEID: CVE-2014-0114 DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 92889 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Products and Versions The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server : versions 11.3, 11.5, 11.7 Remediation/Fixes +-----------+---------+---------+-----------------------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere |11.7 |JR61135 |--Apply IBM InfoSphere Information Server | |Information| | |version 11.7.1.0 | |Server, | | |--Apply IBM InfoSphere Information Server | |Information| | |11.7.1.0 Service Pack 1 | |Server on | | | | |Cloud | | | | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere | | | | |Information| | | | |Server, |11.5 |JR61135 |--Contact IBM Customer Support | |Information| | | | |Server on | | | | |Cloud | | | | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere | | |--Upgrade to a new release where the issue has | |Information|11.3 |JR61135 |been addressed | |Server | | | | +-----------+---------+---------+-----------------------------------------------+ Contact Technical Support: In the United States and Canada dial 1-800-IBM-SERV View the support contacts for other countries outside of the United States. Electronically open a Service Request with Information Server Technical Support. Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: A vulnerability in Apache Solr (lucene) affects IBM InfoSphere Information Server Security Bulletin Document information More support for: InfoSphere Information Server Software version: All Versions Operating system(s): AIX, Linux, Windows Software edition: 11.5, 11.7 Reference #: 0957873 Modified date: 11 July 2019 Summary A vulnerability in Apache Solr (lucene) was addressed by IBM InfoSphere Information Server. Vulnerability Details CVEID: CVE-2017-3164 DESCRIPTION: Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding whitelist mechanism in the shards parameter. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 156956 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions The following products, running on all supported platforms, are affected: IBM InfoSphere Information Server: versions 11.5, 11.7 IBM InfoSphere Information Server on Cloud: versions 11.5, 11.7 Remediation/Fixes InfoSphere Information 11.7 JR61261 --Apply InfoSphere Information Server version 11.7.1.0 Server, Information Server on --Apply InfoSphere Information Server 11.7.1.0 Service Cloud Pack 1 --Users of Information Server Exception Management contact IBM Customer Support InfoSphere Information 11.5 JR61261 --Users of Information Server Exception Management Server, Information Server on contact IBM Customer Support Cloud Change History 11 July 2019: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Multiple vulnerabilities in Spring Framework affect IBM InfoSphere Information Server Security Bulletin Document information More support for: InfoSphere Information Server Software version: 11.7 Operating system(s): AIX, Linux, Windows Reference #: 0887121 Modified date: 11 July 2019 Summary Multiple vulnerabilities in Spring Framework were addressed by IBM InfoSphere Information Server. Vulnerability Details CVEID: CVE-2015-5211 DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to download arbitrary files, caused by a reflected file download attack. By using a specially crafted URL with a batch script extension, an attacker could exploit this vulnerability to download a malicious response. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 130673 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID: CVE-2015-3192 DESCRIPTION: Pivotal Spring Framework is vulnerable to a denial of service, caused by the failure to properly process inline DTD declarations when DTD is partially enabled. By persuading a victim to open a specially crafted XML file, a remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 115554 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) Affected Products and Versions The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server : versions 11.7 Remediation/Fixes +-----------+---------+---------+-----------------------------------------------+ |Product |VRMF |APAR |Remediation/First Fix | +-----------+---------+---------+-----------------------------------------------+ |InfoSphere |11.7 |JR61139 |--Apply IBM InfoSphere Information Server | |Information| | |version 11.7.1.0 | |Server, | | |--Apply IBM InfoSphere Information Server | |Information| | |11.7.1.0 Service Pack 1 | |Server on | | | | |Cloud | | | | +-----------+---------+---------+-----------------------------------------------+ Change History 11 July 2019: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSf76WaOgq3Tt24GAQjq2RAAzgP2AJYdkUAHv4tLh8pFR6Vwda2g0+ba CH5Sk2xfiw6EdfJCWTSRNkbqtv8LCF6vnTVKvwi5q3rlbOhJBZXjoSUiuAO8V7cL u0j6ZHQu7k9zOjsqcADQwnliCEQk7BIk+NsB80C3bqZLL+xE4Pd5pLl4aw5OnrzR wwWGG7mGMHJqTmZGdVUwvOLDaI8KBei5K9fiD+nUG+N53AnqBTYK6v3SWH1Y/Rdb s7gNovc1vJsUeN9KoPt8ag2XPAMHIXvwmWZ89+DC5Gipl2tqLLvCL6ekFNeDD/XE 7nlRT/n/2nHgCO1rAxpUoz8ULuDgoEDVaJfFgdbZ8UMN9wTSKVJg+RhitMdGpv0u /D6mywyRz5KON+d2MMFltKFZuWEGoqh1kQy5E7qDrRScy5hQciobMLorRDBTBJFn T/crD07EhqhP8Xtiou2GgGQnNWYfIyNnkoZBRD7+SdgDXZpK+mtP6HEePKfSBCBC E68ORdCaICWgj4K8+tHlvpnnagQUfrAQZEi16HA4aLDwtyMccIw7GWBbDkLdtrkb MpIcJw9FHQe+xVpCXF2YGSDLnjXcyfbPQOfpD1cPeLVOpqFEUnDWJZR6PG8egaS2 PFldRccDxFbsoYBmf6iFGbuVYp9o24mZu6bto25z4W0m26F0i7ERgCigZIUBgk3B 7Kcgv+j+CJU= =36M9 -----END PGP SIGNATURE-----