Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0271 Security Bulletin: IBM Security Information Queue uses database components with known vulnerabilities (CVE-2016-3506, CVE-2018-1058, CVE-2018-10936, CVE-2019-9193) 28 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Information Queue Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Administrator Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9193 CVE-2018-10936 CVE-2018-1058 CVE-2016-3506 Reference: ASB-2018.0174 ASB-2018.0089 Original Bulletin: https://www.ibm.com/support/pages/node/1282324 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Security Information Queue uses database components with known vulnerabilities (CVE-2016-3506, CVE-2018-1058, CVE-2018-10936, CVE-2019-9193) Security Bulletin Summary IBM Security Information Queue (ISIQ) relies on older Oracle JDBC and PostgreSQL JAR files that have known vulnerabilities. As of v1.0.5, ISIQ switched to newer, secure versions of the JAR files. Vulnerability Details CVEID: CVE-2016-3506 DESCRIPTION: Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2; the Oracle Retail Xstore Point of Service 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, and 16.0; the Oracle Retail Warehouse Management System 14.04, 14.1.3, and 15.0.1; the Oracle Retail Workforce Management 1.60.7, and 1.64.0; the Oracle Retail Clearance Optimization Engine 13.4; the Oracle Retail Markdown Optimization 13.4 and 14.0; and Oracle Retail Merchandising System 16.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVSS Base score: 8.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 115131 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-1058 DESCRIPTION: A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected. CVSS Base score: 6.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 139844 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2018-10936 DESCRIPTION: A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 149157 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N) CVEID: CVE-2019-9193 DESCRIPTION: ** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for COPY TO/FROM PROGRAM is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the COPY FROM PROGRAM. CVSS Base score: 7.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159212 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +-------------------------------------+---------------------------------+ |Affected Product(s) |Version(s) | +-------------------------------------+---------------------------------+ |IBM Security Information Queue (ISIQ)|1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4| +-------------------------------------+---------------------------------+ Remediation/Fixes Download and install the latest IBM Security Information Queue images (tagged at 1.0.5 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXi+PCmaOgq3Tt24GAQgnVw//XszPrrG2C3Ipt3YcY0HyJVBnaWHu2sJ/ SoQNxbuBuMTt+rQrj3xCz/p5Ec9q3pfAu3QusQnFcvi+ZvdJYUdk/uVgFi6uTVGV W3+MeYRIuQONfxYcHM/zsqYYQG5/gM9oinuhP1aa+XlMf22wy4ebhISgN8SaaoJy t3zpQvHJGM86YDPw1evBUWxx4RAmIVGEr3o5ZXchlWVwOIPorsNC/oBOYYDzWs5k zwLIzENT0ciXb0AUoG8mS12gsKf5I28SvYosEcEmu2r1JPT16jnE4mp+kwyOoswq Kc1++FXBnV+GQdGM9ah76Tpn6UVwk6wI9QJuEGC4w99grG9xnFwUo7VlXKQmPvHx hzYMjk9qANbC0wX6Egq1d2AhRb9fAIG0JIKpx9EBvY2NHMYOEJWNtbX8pyQ1gf7Y JGSg8TwKZYduThnW9coJ4VwGa9qxEDaQe8YDDnPFltHrvLUFImQGbxE2/fCrUbZT 6NKWRiSQD6quW2mP6/InUkrwvb6SF2we/eeK11l664UypMX2D2gN1ZNariyPNLYA AivSMnZR6pY/2sxdCIQZbA8VVffaKSfoWdI5ydinCTxoXRYsXX7zygkXRY4SSFFA 89CrJdtfmrrjCYv7Iqc+3/o2JTOaAM0cxtEdPQUzcymsFEmL2Z4CZuGNUyIWkpci XN64ALGB2xg= =yUqK -----END PGP SIGNATURE-----