Operating System:

[LINUX]

Published:

09 December 2019

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2019.4586 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4586
       Security Bulletin: IBM Transparent Cloud Tiering is affected
                        by multiple vulnerabilities
                              9 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Transparent Cloud Tiering
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-16869 CVE-2019-12402 CVE-2019-9518
                   CVE-2019-9515 CVE-2019-9514 CVE-2019-9512
                   CVE-2019-2769 CVE-2019-2762 

Reference:         ASB-2019.0238
                   ESB-2019.4533
                   ESB-2019.4484

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1109775
   https://www.ibm.com/support/pages/node/1108515
   https://www.ibm.com/support/pages/node/1109781
   https://www.ibm.com/support/pages/node/1109787

Comment: This bulletin contains four (4) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Transparent Cloud Tiering  is affected by Netty vulnerability

Security Bulletin

Summary

The Netty library is vulnerable affecting the IBM Transparent Cloud Tiering.
IBM Transparent Cloud Tiering fixed the below CVE.

Vulnerability Details

CVEID: CVE-2019-16869
DESCRIPTION: Netty before 4.1.42.Final mishandles whitespace before the colon
in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to
HTTP request smuggling.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167672 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10
Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2

Remediation/Fixes

For Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10 , apply Transparent Cloud
Tiering 1.1.3.11 bundled with IBM Spectrum Scale V4.2.3.19 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=4.2.3&platform=All&function=all

For Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2, apply Transparent Cloud
Tiering 1.1.7.3 bundled with IBM Spectrum Scale V5.0.4.1 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=5.0.4&platform=All&function=all

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------------------------------------------------------------

IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons
Compress (CVE-2019-12402)

Security Bulletin

Summary

Apache Commons Compress is vulnerable to a denial of service which can affect
IBM Transparent Could Tiering and addressed the following vulnerability.

Vulnerability Details

CVEID: CVE-2019-12402
DESCRIPTION: The file name encoding algorithm used internally in Apache Commons
Compress 1.15 to 1.18 can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an attacker can
choose the file names inside of an archive created by Compress.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165956 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10
Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2

Remediation/Fixes

For Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10 , apply Transparent Cloud
Tiering 1.1.3.11 bundled with IBM Spectrum Scale V4.2.3.19 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=4.2.3&platform=All&function=all

For Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2, apply Transparent Cloud
Tiering 1.1.7.3 bundled with IBM Spectrum Scale V5.0.4.1 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=5.0.4&platform=All&function=all

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------------------------------------------------------------

Multiple vulnerabilities in Node.js affect IBM Transparent Cloud Tiering

Security Bulletin

Summary

There are vulnerabilities in Node.js used by IBM Transparent Cloud Tiering. IBM
Transparent Cloud Tiering has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2019-9514
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a reset flood,
potentially leading to a denial of service. The attacker opens a number of
streams and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer queues the
RST_STREAM frames, this can consume excess memory, CPU, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164640 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9512
DESCRIPTION: Some HTTP/2 implementations are vulnerable to ping floods,
potentially leading to a denial of service. The attacker sends continual pings
to an HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume excess CPU,
memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164903 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9518
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a flood of empty
frames, potentially leading to a denial of service. The attacker sends a stream
of frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends
time processing each frame disproportionate to attack bandwidth. This can
consume excess CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
164904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9515
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a settings flood,
potentially leading to a denial of service. The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer reply with
one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data is
queued, this can consume excess CPU, memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165181 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10
Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2

Remediation/Fixes

For Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10 , apply Transparent Cloud
Tiering 1.1.3.11 bundled with IBM Spectrum Scale V4.2.3.19 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=4.2.3&platform=All&function=all

For Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2, apply Transparent Cloud
Tiering 1.1.7.3 bundled with IBM Spectrum Scale V5.0.4.1 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=5.0.4&platform=All&function=all

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------------------------------------------------------------

IBM Spectrum Scale Transparent Cloud Tiering is affected by multiple
vulnerabilities in IBM® Runtime Environment Javaâ\x{132}¢ Version 8

Security Bulletin

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Version 8
used by IBM Spectrum Scale Transparent Cloud Tiering. The IBM Spectrum Scale
Transparent Cloud Tiering have addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2019-2762
DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Utilities). Supported versions that are affected are
Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily
exploitable vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise Java SE, Java SE Embedded. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8),
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163826 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2769
DESCRIPTION: Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Utilities). Supported versions that are affected are
Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily
exploitable vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise Java SE, Java SE Embedded. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8),
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
163832 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10
Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2

Remediation/Fixes

For Transparent Cloud Tiering 1.1.1.0 thru 1.1.3.10 , apply Transparent Cloud
Tiering 1.1.3.11 bundled with IBM Spectrum Scale V4.2.3.19 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=4.2.3&platform=All&function=all

For Transparent Cloud Tiering 1.1.5.0 thru 1.1.7.2, apply Transparent Cloud
Tiering 1.1.7.3 bundled with IBM Spectrum Scale V5.0.4.1 available from
FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixesparent=
Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&
release=5.0.4&platform=All&function=all

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXe2LS2aOgq3Tt24GAQi6Ig/8DcUHZrAQuNeXNDV+LEKnVr0KzTY/Z+hR
vzkbr3SKomSm0JD+/7eKxNAOOCeLP2oiLpEIxHbfIOz8MpC/KAgB3Z8EFJpnUsBf
BUJOPpZWu35Vp8FbWC0ODBkn7+o/+/KsWRveTwyRg/LM3tXq4Xgovr0J0or4q/db
RqpelAeSLy4/B11LQbz8PtX9X4opQzUHI4n+pkgmbcaNL5PUt9g5ngVuj8V6WJOt
EkrSOJx25dIgc5p56WR5Xh9QzfPWxprce6jndrEqnUojEeUw3ree862rZOywt84A
/59f17bI1yzgiCPins0M98maleUIKLqRoXe4rVPz0NPpgiu8RX7nqjWsxD538vCg
LefycIavh/2q7QlaIWt76WDYMpfja0si9s9EjOYxJR+Df5f8FQUuXQ3WKCRd5JXM
jHiV/sJEswPEv8Fyb9pBmOb8vGeA+/rTI5BUE06fQl0xqJj9uI7lfm3wZeo5Q/Ad
50Vylsy0Bf9eVtFFHWX9kY9Hv+ta/v+oJBMNmE9kKpp7O1Iw5x0aYRhHBSRYRdnc
jyKg2C/dqcmsCC9o8ZAA8qSspPnrRMV6Klzm/JMwhgAIp6S6vrRouRfsENEHGEyd
wzZxnFr+zI0Xg7s0RHZ+f7GMBHjDx9tGUs/YkSg+QbSLiZ5O/26SC5PSCWdt6lge
eSt1fTTgAjg=
=6YYu
-----END PGP SIGNATURE-----