Operating System:

[AIX]

Published:

22 October 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3925
       IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise
            Edition is affected by HTTP Server vulnerabilities
                              22 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Cloud Orchestrator
                   IBM Cloud Orchestrator Enterprise Edition
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Root Compromise     -- Existing Account      
                   Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        None
CVE Names:         CVE-2019-0220 CVE-2019-0211 

Reference:         ESB-2019.3241
                   ESB-2019.1813

Original Bulletin: 
   https://www.ibm.com/support/pages/node/959951

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is
affected by HTTP Server vulnerabilities

Security Bulletin

Summary

IBM HTTP Server is shipped as a component of IBM Cloud Orchestrator and IBM
Cloud Orchestrator Enterprise. Information about a security vulnerability
affecting IBM HTTP Server has been published in a security bulletin.

Vulnerability Details

CVEID: CVE-2019-0211
DESCRIPTION: Apache HTTP Server could allow a local authenticated attacker to
gain elevated privileges on the system, caused by the execution of code in
less-privileged child processes or threads from modules' scripts. By
manipulating the scoreboard, an attacker could exploit this vulnerability to
execute arbitrary code on the system with root privileges.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-0220
DESCRIPTION: Apache HTTP Server could provide weaker than expected security,
caused by URL normalization inconsistencies. A remote attacker could exploit
this vulnerability to launch further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

                 Principal Product and Version(s)                  |Affected Supporting 
                                                                   |Product and Version 
- -------------------------------------------------------------------+--------------------
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5,  |IBM HTTP Server     
2.5.0.1, 2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5, 2.5.0.6, 2.5.0.7,     |8.5.5 to 8.5.5.15   
2.5.0.8, 2.5.0.9                                                   |                    
- -------------------------------------------------------------------+--------------------
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.4,  |IBM HTTP Server     
2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5                        |8.5.5 to 8.5.5.12   

Remediation/Fixes

The recommended solution is to apply the fixes as soon as practical.

+-------------+-------------------+-------------------------------------------+
|Principal    |                   |                                           |
|Product and  |VRMF               |Remediation/First Fix                      |
|Version(s)   |                   |                                           |
+-------------+-------------------+-------------------------------------------+
|IBM Cloud    |2.5, 2.5.0.1,      |For 2.5 versions, IBM recommends upgrading |
|Orchestrator |2.5.0.2, 2.5.0.3,  |to Fix Pack 10 (2.5.0.10) of IBM Cloud     |
|and IBM Cloud|2.5.0.4, 2.5.0.5,  |Orchestrator:                              |
|Orchestrator |2.5.0.6, 2.5.0.7,  |                                           |
|Enterprise   |2.5.0.8, 2.5.0.9   |https://www.ibm.com/support/pages/         |
|             |                   |ibm-cloud-orchestrator-fix-pack-10-25010-25|
+-------------+-------------------+-------------------------------------------+
|IBM Cloud    |                   |                                           |
|Orchestrator |2.4, 2.4.0.1,      |                                           |
|and IBM Cloud|2.4.0.2, 2.4.0.3,  |Contact IBM Cloud Orchestrator support.    |
|Orchestrator |2.4.0.4, 2.4.0.5   |                                           |
|Enterprise   |                   |                                           |
+-------------+-------------------+-------------------------------------------+

Refer to the following security bulletin for vulnerability details and
information about fixes addressed by IBM HTTP Server shipped with IBM Cloud
Orchestrator and IBM Cloud Orchestrator Enterprise:

+----------------------------------------+-----------+------------------------+
|                                        |           |                        |
|                                        |Affected   |Affected Supporting     |
|Principal Product and Version(s)        |Supporting |Product Security        |
|                                        |Product and|Bulletin                |
|                                        |Version    |                        |
+----------------------------------------+-----------+------------------------+
|IBM Cloud Orchestrator and IBM Cloud    |           |Security Bulletin:      |
|Orchestrator Enterprise 2.5, 2.5.0.1,   |IBM HTTP   |Multiple vulnerabilities|
|2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5,     |Server     |in IBM HTTP Server      |
|2.5.0.6, 2.5.0.7, 2.5.0.8, 2.5.0.9, 2.4,|8.5.5 to   |(CVE-2019-0211          |
|2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4,     |8.5.5.15   |CVE-2019-0220)          |
|2.4.0.5                                 |           |                        |
+----------------------------------------+-----------+------------------------+

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXa6Mj2aOgq3Tt24GAQjZKQ//UshOOzPeyAGpaomlc/QwZWrnsHzYIJhr
uQ20/6kqWWyfCwxhHWXuhC3azOaGRR1gcGlWOPMI/9NoEO0No+XVHshcYzPK+JsB
iyHkkrRpSmNCZz50e3vO3jumruVHmeMjI78+g9UoCvsPs+kjdERNoxmTmNJ4Geme
NYSoZMLxtliF/FmH1WgFCSgccOqI6Aga5E2qdHREszMJLfGEUWrzAZeKsSiM8PBJ
pdcgsL9hnyeSJ1VEQakR8sFgBFziT7QR45KS1omZQOsW0u/fb1TC1u3uqU62Pnom
BkM32TTi2BX2/uiWGPGGP2bgUebjlr4sfxwNZjAxV6wB5CVWzkKzo+YXYMX04tqN
7prQ6gU6jcw5Pn+ewO8b/3wiwenweUnCZKzEuEH0GHqgRU9xbiG3xYKe88DR525A
dKQ+ZiObDrQL39qHwvC85BB/wol7PFMO0P9Gc2sMUlPODirQQJJVVVNgFkZvGqOO
f1fmAPl4blKM5fPLBxgZwt/QdAm/EP5BbJ+N4hanfAmytNHLtxrjPfJ75obLgSst
LzUKogpaUxnAO8z7VBMIkyMQKw8WH6XIrisGY1S/aoAtYncVmFxsQHFesVF7VCfv
TtVHbk+hoEq8mSuq5GB4WPPHZKzLMYq9o4RSFFWcuv1TKFdxmAtzfxzQsdaM99do
CgX43Zmhnpw=
=k4RH
-----END PGP SIGNATURE-----