Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4298
Security Bulletin: A vulnerability in IBM Java Runtime
affects IBM SPSS Statistics
14 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM SPSS Statistics
Publisher: IBM
Operating System: AIX
Linux variants
Windows
Mac OS
Solaris
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12547
Reference: ESB-2019.3567
ESB-2019.3431
ESB-2019.2885
ESB-2019.2771
ESB-2019.2714
Original Bulletin:
https://www.ibm.com/support/pages/node/1106673
- --------------------------BEGIN INCLUDED TEXT--------------------
A vulnerability in IBM Java Runtime affects IBM SPSS Statistics
Security Bulletin
Summary
There is a vulnerability in IBM Runtime Environment Java Versions 7.0, 7.1, and
8.0 used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the
applicable CVE.
Vulnerability Details
CVEID: CVE-2018-12547
DESCRIPTION: In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf()
and jio_vsnprintf() native methods ignored the length parameter. This affects
existing APIs that called the functions to exceed the allocated buffer. This
functions were not directly callable by non-native user code.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157512 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+------------------+--------+
|Affected Products |Versions|
+------------------+--------+
|SPSS Statistics |26.0 |
+------------------+--------+
|SPSS Statistics |25.0 |
+------------------+--------+
|SPSS Statistics |24.0 |
+------------------+--------+
|SPSS Statistics |23.0 |
+------------------+--------+
Remediation/Fixes
+-------------+--------+--------------------------+
|Affected |Versions|Fixes |
|Products | | |
+-------------+--------+--------------------------+
|SPSS |26.0 |Install Statistics 26 |
|Statistics | |FP001 |
+-------------+--------+--------------------------+
|SPSS |25.0 |Install Statistics 25 |
|Statistics | |FP002-IF006 |
+-------------+--------+--------------------------+
|SPSS |24.0 |Install Statistics 24 |
|Statistics | |FP002-IF019 |
+-------------+--------+--------------------------+
|SPSS |23.0 |Install Statistics 23 |
|Statistics | |FP003-IF017 |
+-------------+--------+--------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXcz0Y2aOgq3Tt24GAQhrTQ/9FZXnRGcFa0zk1VYDoXB2aSrVbvV1k1Cc
1CYypFcYNkBQHlFflIJkqT4/OpZ3RgNAFTiwoFwW21wJO1HUO4FdiEni6fIbZ3pN
KwcRBXSlJQLlBWfQRt/s76CScFSm+VZNtyOi3lOuAMcOmAG95PFrEHpnUc2yJsuD
62tGHYmZX6d0/kPRWzT4dy80Lrz0GRKHVDCYiEK4GJZCHwMjJACbltBTag6VFh3u
Ro1Y8rT//ZSL0fVHeapKSUU4N3nMuHUt8WwpBnBLMMneUa+Wza0RzArLgG3tj/HX
+a3WSGhciQ5q+uwTiq/oTiLNZoP4VsiNJNqC3/1731XWVUKY000wEDybFoZjM04u
1UfSDyB6l3DpyOKh0GQV1zoCAEIJzXt5qrShDDZsqDMi/a76YrkzmD9gcCyhZYXR
PaNTw5E2ZNPggUB+kNYMcgfwxSxxMLq03YHaa/y/WGyeDJvsj3pQKa1lIivImoUx
LhTDyavdRDveXmaSsHgi+X+cJZVb5T6zHXxJiZ0vbm7zX3pIP31S7EI4QUgGG9MJ
Ld76onWiGWJIT/3+P57L1dd7oxz1/skP2Icm0nGb/aN0ybZWEgBfq+tey7VKOxbJ
3CrIYp9+WfHZnhQkwiq+T5B4piIjKR1efDjuz+ry/PN8Wkxq0n9zenl9bPmXehp2
Xs8Mtb5bxPA=
=A99l
-----END PGP SIGNATURE-----