Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4298 Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics 14 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM SPSS Statistics Publisher: IBM Operating System: AIX Linux variants Windows Mac OS Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-12547 Reference: ESB-2019.3567 ESB-2019.3431 ESB-2019.2885 ESB-2019.2771 ESB-2019.2714 Original Bulletin: https://www.ibm.com/support/pages/node/1106673 - --------------------------BEGIN INCLUDED TEXT-------------------- A vulnerability in IBM Java Runtime affects IBM SPSS Statistics Security Bulletin Summary There is a vulnerability in IBM Runtime Environment Java Versions 7.0, 7.1, and 8.0 used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the applicable CVE. Vulnerability Details CVEID: CVE-2018-12547 DESCRIPTION: In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157512 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +------------------+--------+ |Affected Products |Versions| +------------------+--------+ |SPSS Statistics |26.0 | +------------------+--------+ |SPSS Statistics |25.0 | +------------------+--------+ |SPSS Statistics |24.0 | +------------------+--------+ |SPSS Statistics |23.0 | +------------------+--------+ Remediation/Fixes +-------------+--------+--------------------------+ |Affected |Versions|Fixes | |Products | | | +-------------+--------+--------------------------+ |SPSS |26.0 |Install Statistics 26 | |Statistics | |FP001 | +-------------+--------+--------------------------+ |SPSS |25.0 |Install Statistics 25 | |Statistics | |FP002-IF006 | +-------------+--------+--------------------------+ |SPSS |24.0 |Install Statistics 24 | |Statistics | |FP002-IF019 | +-------------+--------+--------------------------+ |SPSS |23.0 |Install Statistics 23 | |Statistics | |FP003-IF017 | +-------------+--------+--------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcz0Y2aOgq3Tt24GAQhrTQ/9FZXnRGcFa0zk1VYDoXB2aSrVbvV1k1Cc 1CYypFcYNkBQHlFflIJkqT4/OpZ3RgNAFTiwoFwW21wJO1HUO4FdiEni6fIbZ3pN KwcRBXSlJQLlBWfQRt/s76CScFSm+VZNtyOi3lOuAMcOmAG95PFrEHpnUc2yJsuD 62tGHYmZX6d0/kPRWzT4dy80Lrz0GRKHVDCYiEK4GJZCHwMjJACbltBTag6VFh3u Ro1Y8rT//ZSL0fVHeapKSUU4N3nMuHUt8WwpBnBLMMneUa+Wza0RzArLgG3tj/HX +a3WSGhciQ5q+uwTiq/oTiLNZoP4VsiNJNqC3/1731XWVUKY000wEDybFoZjM04u 1UfSDyB6l3DpyOKh0GQV1zoCAEIJzXt5qrShDDZsqDMi/a76YrkzmD9gcCyhZYXR PaNTw5E2ZNPggUB+kNYMcgfwxSxxMLq03YHaa/y/WGyeDJvsj3pQKa1lIivImoUx LhTDyavdRDveXmaSsHgi+X+cJZVb5T6zHXxJiZ0vbm7zX3pIP31S7EI4QUgGG9MJ Ld76onWiGWJIT/3+P57L1dd7oxz1/skP2Icm0nGb/aN0ybZWEgBfq+tey7VKOxbJ 3CrIYp9+WfHZnhQkwiq+T5B4piIjKR1efDjuz+ry/PN8Wkxq0n9zenl9bPmXehp2 Xs8Mtb5bxPA= =A99l -----END PGP SIGNATURE-----