-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4588
    Multiple vulnerabilities found in IBM InfoSphere Information Server
                              9 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere Information Server
Publisher:         IBM
Operating System:  AIX
                   Windows
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Denial of Service               -- Remote with User Interaction
                   Read-only Data Access           -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-14439 CVE-2019-14379 CVE-2019-12814
                   CVE-2019-12384 CVE-2019-12086 CVE-2018-11771

Reference:         ASB-2019.0303
                   ASB-2019.0299

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1086039
   https://www.ibm.com/support/pages/node/1118283

Comment: This bulletin contains two (2) security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: A vulnerability in Apache Commons Compress affects IBM
InfoSphere Information Server connectivity componets


Summary

A vulnerability in Apache Commons Compress was addressed by IBM InfoSphere
Information Server Cloud related connectors.

Vulnerability Details

CVEID: CVE-2018-11771
DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service,
caused by the failure to return the correct EOF indication after the end of
the stream has been reached by the ZipArchiveInputStream method. By reading a
specially crafted ZIP archive, a remote attacker could exploit this
vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: version 11.7.1.0
IBM InfoSphere Information Server on Cloud: version 11.7

Remediation/Fixes

+-----------+---------+---------+-----------------------------------------------+
|Product    |VRMF     |APAR     |Remediation/First Fix                          |
+-----------+---------+---------+-----------------------------------------------+
|InfoSphere |11.7.1   |JR61522  |--Apply IBM InfoSphere Information Server      |
|Information|         |         |Connectivity Security patch                    |
|Server,    |         |         |                                               |
|Information|         |         |                                               |
|Server on  |         |         |                                               |
|Cloud      |         |         |                                               |
+-----------+---------+---------+-----------------------------------------------+

Workarounds and Mitigations
None

Change History
06 December 2019: Original version published

Document Information

Modified date:
06 December 2019

- --------------------------------------------------------------------------------

Security Bulletin: Multiple vulnerabilities in Jackson databind affect IBM
InfoSphere Information Server

Summary

Multiple vulnerabilities in Jackson databind were addressed by IBM InfoSphere
Information Server.

Vulnerability Details

CVEID:   CVE-2019-12384
DESCRIPTION:   FasterXML jackson-databind 2.x before 2.9.9.1 might allow
attackers to have a variety of impacts by leveraging failure to block the
logback-core class from polymorphic deserialization. Depending on the
classpath content, remote code execution may be possible.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/162849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


CVEID:   CVE-2019-12086
DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either
globally or for a specific property) for an externally exposed JSON endpoint,
the service has the mysql-connector-java jar (8.0.14 or earlier) in the
classpath, and an attacker can host a crafted MySQL server reachable by the
victim, an attacker can send a crafted JSON message that allows them to read
arbitrary local files on the server. This occurs because of missing
com.mysql.cj.jdbc.admin.MiniAdmin validation.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/161256 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


CVEID:   CVE-2019-14379
DESCRIPTION:   SubTypeValidator.java in FasterXML jackson-databind before
2.9.9.2 mishandles default typing when ehcache is used (because of
net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading
to remote code execution.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/165286 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


CVEID:   CVE-2019-14439
DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is
enabled (either globally or for a specific property) for an externally exposed
JSON endpoint and the service has the logback jar in the classpath.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/164744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


CVEID:   CVE-2019-12814
DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either
globally or for a specific property) for an externally exposed JSON endpoint
and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send
a specifically crafted JSON message that allows them to read arbitrary local
files on the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/162875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

+------------------------------------+-------+
|Affected Product(s)                 |Version|
|                                    |(s)    |
+------------------------------------+-------+
|InfoSphere Information Server,      |11.7   |
|Information Server on Cloud         |       |
+------------------------------------+-------+
|InfoSphere Information Server,      |11.5   |
|Information Server on Cloud         |       |
+------------------------------------+-------+

Remediation/Fixes

+-----------+---------+---------+-----------------------------------------------+
|Product    |VRMF     |APAR     |Remediation/First Fix                          |
+-----------+---------+---------+-----------------------------------------------+
|InfoSphere |11.7     |JR61495  |--Apply IBM InfoSphere Information Server      |
|Information|         |JR61521  |version 11.7.1.0                               |
|Server,    |         |         |--Apply IBM InfoSphere Information Server      |
|Information|         |         |11.7.1.0 Service Pack 2                        |
|Server on  |         |         |--Apply Information Server Cloud connectors    |
|Cloud      |         |         |Security patch                                 |
|           |         |         |--Apply Information Server Amazon S3 connector |
|           |         |         |Security patch                                 |
|           |         |         |--For Information Analyzer, Data Flow Designer,|
|           |         |         |Quality Stage, Enterprise Search, contact IBM  |
|           |         |         |Customer Support                               |
+-----------+---------+---------+-----------------------------------------------+
|           |         |         |--Apply InfoSphere Information Server version  |
|InfoSphere |         |         |11.5.0.2                                       |
|Information|         |         |--Apply InfoSphere Information Server 11.5.0.2 |
|Server,    |11.5     |JR61495  |Service Pack 6                                 |
|Information|         |         |--Apply Information Server Amazon S3 connector |
|Server on  |         |         |Security patch                                 |
|Cloud      |         |         |--For Information Analyzer and Metadata Asset  |
|           |         |         |Manager, contact IBM Customer Support          |
+-----------+---------+---------+-----------------------------------------------+
 

Workarounds and Mitigations

None

Change History

06 Dec 2019: Initial Publication

Document Information

Modified date:
06 December 2019

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXe2PJmaOgq3Tt24GAQhLIBAAtBwQ8Uxo2aDxTDvY7UY9G9M57aroMgyf
Q2hJlthJuWiCMXTqyw2nDT+JKbIG88owP/pb8wYVmH//TZwyqqtOwls5voNFDy0s
09gpVdI8afAL7mU1bTBai3yBHOwk2/WIy+XIvoZdWCY5TtOnVJYkpQYlk/oMDBfE
Xonbj5LWlp3q+B5TDL8g94m4rfFNBMX97DjEwoFgDJDpItjoHmEY/MaINMThIO3+
OkxGeQ6ljse1+m/P94k5e6n2aVMKzXp/ORnzm1A8uV1YlymqfbiTomEmHPJFAroB
+tbzrEJlYa/FfPw6TFMiI5QTR9WuQlB5qI+MiwVdl4EUz9NuZ+Pzyg/Nc1f82C/R
R8MRghuIu637683ww3cp/FPaTz82cRBFD1iX3q0HMl2AYA6YhX0tEB7nbNs3ufL3
rH//CXBekcH3v9lnnK2EchKqbgNJb9LwrKkNpvsHwO9RGJ8e2MzO5b4ORFLSJyAn
mK3p/VF3JTjQS38P7RmjuQ0chXeo+KuUsyHAxSjvUPD5P15LRK7dPACmkHI1EteC
4Rm6uVM3f1m3GmTkiuD08rL5cRIG3fSyajTcpOFSpfHYiZBcVzAQJZgcbefgRyz0
jpObtGj/ywfAU9xDfa9MQrE++LIeBxWgxG2V/w/19Q6g/70bwGlGDZ49KJinQmm7
rE/T8QYzyy8=
=blTA
-----END PGP SIGNATURE-----