Operating System:

[Linux]

Published:

26 August 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3235
          IBM Cloud Automation Manager is affected by a forbidden
             resource redirect for bad API path CVE-2019-4132
                              26 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Automation Manager
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4132  

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10967477

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Cloud Automation Manager is affected by a forbidden resouce redirect for
bad API path CVE-2019-4132

Product:             IBM Cloud Automation Manager
Software version:    3.1.2
Operating system(s): Linux
Reference #:         0967477
Summary

IBM Cloud Automation Manager will redirect when a bad API path is requested
rather than issuing a 404. User may expect an error
but be redirected to a home page instead.

Vulnerability Details

CVEID: CVE-2019-4132
DESCRIPTION: IBM Cloud Automation Manager could allow a user to be impropertly
redirected and obtain sensitive information rather than receive a 404 error
message.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158274 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Cloud Automation Manager 3.1.2

Remediation/Fixes

IBM Cloud Automation Manager users should upgrade to the following release:

IBM Cloud Automation Manager 3.1.2.1

https://www.ibm.com/support/knowledgecenter/en/SS2L37_3.1.2.1/
cam_upgrade_cam.html

Workarounds and Mitigations

None.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXWNalmaOgq3Tt24GAQhVxxAAnieE+OhsQTApKEvyJMii1exSk2R9ji8K
6dZT8gFNjMFwto0wkTriMephkIK1VOFvtefr8y9+6cy0QNr7AjqjdRXoT6YuXnhr
3qdxSN6a/S7yLxTwWZ7OBGKtrn2Eqdv1fwu83LBtMJxc6DSzVoOXLYn7BOtb+kG8
gri6bYDBvqAjRt4jw8LSvAxW/TzO7hJLx6+Ez1gQ65/4jkhn+jxTfkt6ySDN9G6E
5ouPiePMqCYClbf5Mz7x92edKS1MmMbhHzHgrfZzs4WExUXIK6yCTlNYrbfKN7dq
hRuWzPodvVRxM7KudE7vFhSzMaNBkhXBJqo8SWGIPikJSPTVU2AxRjDHAjjkDhYe
i8FCV3NfpE45j5bx0DIlY+Db4tMJKujPFIdYYQ0dilXRcXIgYzNaxKF/3LfoPHyU
+STH377mKHwRpPw2qzbH9zmWso6bWs08GhZ3W6ig/R3NvbKRQ6jeqfzzqpcA67Z7
/0BFklh8VpM4jb+5wmVY4CSge6adk7QQObbNt6m3m6q3IAopiYF8pkitFvhaRtiB
TsLuP7qg5D9wjceh2d5XVqL4KgNahjore+yX3rimCDKRSmcN8aj90Em60v66WQ84
uMVxkd/mrWLq/sXlFLFObxeHNg327sdiA23cmBNB5r16ZrBQJZgQxrZS9lmk1xmR
MrCc8Zv7/AE=
=NMua
-----END PGP SIGNATURE-----