Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4322
Security Bulletin: Multiple vulnerabilities in IBM Java SDK
affect IBM Performance Management products
15 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Performance Management
Publisher: IBM
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-2449 CVE-2019-2426 CVE-2019-2422
CVE-2018-11212
Reference: ESB-2019.3567
ESB-2019.3495
ESB-2019.2938
ESB-2019.2879
Original Bulletin:
https://www.ibm.com/support/pages/node/1106973
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management
products
Security Bulletin
Summary
There are multiple vulnerabilities in IBM(R) SDK Java(TM) Technology Edition used by
IBM Monitoring. IBM Monitoring has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2019-2422
DESCRIPTION: Vulnerability in the Java SE component of Oracle Java SE
(subcomponent: Libraries). Supported versions that are affected are Java SE:
7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Java SE. Successful attacks require human interaction
from a person other than the attacker. Successful attacks of this vulnerability
can result in unauthorized read access to a subset of Java SE accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets (in
Java SE 8), that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability does
not apply to Java deployments, typically in servers, that load and run only
trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score
3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/
C:L/I:N/A:N).
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155741 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-2449
DESCRIPTION: Vulnerability in the Java SE component of Oracle Java SE
(subcomponent: Deployment). The supported version that is affected is Java SE:
8u192. Difficult to exploit vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE. Successful attacks
require human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed Java Web
Start applications or sandboxed Java applets (in Java SE 8), that load and run
untrusted code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java deployments,
typically in servers, that load and run only trusted code (e.g., code installed
by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155766 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2426
DESCRIPTION: Vulnerability in the Java SE component of Oracle Java SE
(subcomponent: Networking). Supported versions that are affected are Java SE:
7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Java SE. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of Java SE accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets (in
Java SE 8), that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can
also be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
(Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/
I:N/A:N).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-11212
DESCRIPTION: An issue was discovered in libjpeg 9a. The alloc_sarray function
in jmemmgr.c allows remote attackers to cause a denial of service
(divide-by-zero error) via a crafted file.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
143429 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
+-----------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+-----------------------------------------------+----------+
|IBM Cloud APM, Base Private |8.1.4 |
+-----------------------------------------------+----------+
|IBM Cloud APM, Advanced Private |8.1.4 |
+-----------------------------------------------+----------+
|IBM Cloud APM |8.1.4 |
+-----------------------------------------------+----------+
|IBM Monitoring |8.1.3 |
+-----------------------------------------------+----------+
|IBM Application Diagnostics |8.1.3 |
+-----------------------------------------------+----------+
|IBM Application Performance Management |8.1.3 |
+-----------------------------------------------+----------+
|IBM Application Performance Management Advanced|8.1.3 |
+-----------------------------------------------+----------+
Remediation/Fixes
+-----------+-----+-----------------------------------------------------------------------------+
|IBM | | |
|Application| | |
|Performance| |The vulnerabilitiescan be remediated by applying the following |
|Management,| |8.1.4.0-IBM-APM-SERVER-IF0009 server patch to the system where the Cloud APM |
|Base | |server is installed: http://www.ibm.com/support/docview.wssuid=ibm10961578 |
|Private | | |
| |8.1.4|The vulnerabilities can be remediated by applying the following |
|IBM | |8.1.4.0-IBM-APM-GATEWAY-IF0007Hybrid Gateway patch to the system where the |
|Application| |Hybrid Gateway is installed: https://www.ibm.com/support/docview.wssuid= |
|Performance| |ibm10961656 |
|Management,| | |
|Advanced | | |
|Private | | |
+-----------+-----+-----------------------------------------------------------------------------+
|IBM Cloud | |The vulnerabilities can be remediated by applying the following |
|Application|N/A |8.1.4.0-IBM-APM-GATEWAY-IF0007 Hybrid Gateway patch to the system where the |
|Performance| |Hybrid Gateway is installed: https://www.ibm.com/support/docview.wssuid= |
|Management | |ibm10961656 |
+-----------+-----+-----------------------------------------------------------------------------+
|IBM | | |
|Monitoring | | |
| | | |
|IBM | |The vulnerabilitiescan be remediated by applying the following |
|Application| |8.1.3.0-IBM-IPM-SERVER-IF0016 server patch to the system where the APM server|
|Diagnostics| |is installed: https://www.ibm.com/support/pages/ |
|IBM | |ibm-application-performance-management-813-8130-ibm-ipm-server-if0016-readme |
|Application|8.1.3| |
|Performance| |The vulnerabilities can be remediated by applying the following |
|Management | |8.1.3.0-IBM-IPM-GATEWAY-IF0012 Hybrid Gateway patch to the system where the |
|IBM | |Hybrid Gateway is installed: https://www.ibm.com/support/pages/ |
|Application| |ibm-application-performance-management-813-8130-ibm-apm-gateway-if0012-readme|
|Performance| | |
|Management | | |
|Advanced | | |
| | | |
+-----------+-----+-----------------------------------------------------------------------------+
Workarounds and Mitigations
+-----------+-----+-----------------------------------------------------------------------------+
|IBM | | |
|Application| | |
|Performance| |The vulnerabilitiescan be remediated by applying the following |
|Management,| |8.1.4.0-IBM-APM-SERVER-IF0009 server patch to the system where the Cloud APM |
|Base | |server is installed: http://www.ibm.com/support/docview.wssuid=ibm10961578 |
|Private | | |
| |8.1.4|The vulnerabilities can be remediated by applying the following |
|IBM | |8.1.4.0-IBM-APM-GATEWAY-IF0007Hybrid Gateway patch to the system where the |
|Application| |Hybrid Gateway is installed: https://www.ibm.com/support/docview.wssuid= |
|Performance| |ibm10961656 |
|Management,| | |
|Advanced | | |
|Private | | |
+-----------+-----+-----------------------------------------------------------------------------+
|IBM Cloud | |The vulnerabilities can be remediated by applying the following |
|Application|N/A |8.1.4.0-IBM-APM-GATEWAY-IF0007 Hybrid Gateway patch to the system where the |
|Performance| |Hybrid Gateway is installed: https://www.ibm.com/support/docview.wssuid= |
|Management | |ibm10961656 |
+-----------+-----+-----------------------------------------------------------------------------+
|IBM | | |
|Monitoring | | |
| | | |
|IBM | |The vulnerabilitiescan be remediated by applying the following |
|Application| |8.1.3.0-IBM-IPM-SERVER-IF0016 server patch to the system where the APM server|
|Diagnostics| |is installed: https://www.ibm.com/support/pages/ |
|IBM | |ibm-application-performance-management-813-8130-ibm-ipm-server-if0016-readme |
|Application|8.1.3| |
|Performance| |The vulnerabilities can be remediated by applying the following |
|Management | |8.1.3.0-IBM-IPM-GATEWAY-IF0012 Hybrid Gateway patch to the system where the |
|IBM | |Hybrid Gateway is installed: https://www.ibm.com/support/pages/ |
|Application| |ibm-application-performance-management-813-8130-ibm-apm-gateway-if0012-readme|
|Performance| | |
|Management | | |
|Advanced | | |
| | | |
+-----------+-----+-----------------------------------------------------------------------------+
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXc4dZmaOgq3Tt24GAQjF2w//RWU0XBvGTC8fAYQxevKDLQkHyTee0mGL
NSnNvMYHKKVA8nPL18TdsLp9B6aEeh3jcfDa/pVKQygw7+TslsQ78aTEH+UZAAdv
bR8EgsK+x1GAuGrOleiUiBZoQ8niXX4wS3wDXQ6mS1jq3vXAL2NnjghbSVVSZ+b3
l4Ct+kqKdOXL6qhIFal3fFUcdtzDkujzxIEwaywtCuUYoYMEczHuGkK0pQiObaEO
sm5eUxCG16Zs/LP1bdUhRsQzADzhpTmkspwX5wskpilBaav1ErP/D0l+83kFK9HP
aQOobVTZSySP64uK4UAXPYyeJVBgLeph1jp4eTgYkSnJSlBlW9orJGhGXN+KL381
03z60xYk48MArSuRFik4XDH45vZRv8odSYCHBx8gURh7Inxk1G8C0bwlXAJPEsyQ
O2YU2xUS9Pado0KoYNpM1AiJmyEWUwY10/cqciPeO14mSAJUC43TVl6BCQ/fjgZ+
gLoJtw+r4pWDJoEGUBG5maA3eRHGrLhLsxP4QxRUUpWpcsqRniaTeZtkmz6NCCnW
koXg2NT4cYoy6hUHUdcnArh92nU0zdGey4PZAL3E+T+3JR610wfudM4nOWb+pNFB
nODaDIgfFw/gjCtx2/l7FutmRQX7pl3zK3m2eOGLPbzVk2vZ6uMYDQsZCz1HVnh7
7OtYXKWlWT0=
=aEX7
-----END PGP SIGNATURE-----