Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0303 Security Bulletin: Vulnerability in IBM Websphere Application Server Liberty used by IBM Cloud Pak System (CVE-2019-12402) 29 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Cloud Pak System Publisher: IBM Operating System: Linux variants Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-12402 Reference: ESB-2020.0007 ESB-2019.4596 ESB-2019.4586 ESB-2019.4026 Original Bulletin: https://www.ibm.com/support/pages/node/1282006 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability in IBM Websphere Application Server Liberty used by IBM Cloud Pak System (CVE-2019-12402) Security Bulletin Summary There are vulnerabilities in Websphere Liberty used by IBM CloudPak System. IBM Cloud Pak System has addressed the vulnerability. IBM Cloud Pak System has released v2.3.1.1 that includes Websphere Application Server Liberty 19.0.0.9 , and for Websphere Application Server Traditional v8.5.5.16 and v9.0.5.1. Vulnerability Details CVEID: CVE-2019-12402 DESCRIPTION: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 165956 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM Cloud Pak System|2.3 | +--------------------+----------+ |IBM Cloud Pak System|2.2 | +--------------------+----------+ Affected Supporting Products Liberty Remediation/Fixes For Cloud Pak System V2.2.5 - V2.2.6, V2.3.0.1 Apply the fix as per Denial of Service in IBM WebSphere Application Server Liberty Security Bulletin OR Apply Cloud Pak System v2.3.1.1 Information on upgrading can be found here: http://www.ibm.com/support/ docview.wssuid=ibm10887959. Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjD0KmaOgq3Tt24GAQh9ZxAAgX9qfS0wU+as4HekXvZ3vDIDjEqKWtMY A3HD34hIEiRh6sdnaJ7nFpZt8KiEgBdZlq9rgty9YU04rFqJJWTbX6kJBQZmoOF7 YgRZa5LDZFRO5uHgdNKurlyJ0uwfFSa3mPPLs4c1u5jAZ/mH9R4tQ8iDP3FrDop2 bkvZTeXTMuxT2K+7wQTh1uuvPT2J8iJv/FAdEKYKsqGzL73WDLI4Eze9kj+Cli6c DmaLYyt9lQYAOmha9g/3uoxBez8BFaFBmSTBBajVS7VPRzsCEaEBRRH+5y7bzvJk j8K52CqPd+jJGOHeDjGCxNl08obfJZoMKdf1jp2lnW2dn3U07HnmJ65LeAQJ24nM bNeS9a1stNvVYUIT9C4YS2VqwkXzIs9NrFVv6LYOHt7sa3IWgsilXz3SstaK8dJ8 z8MNml78js/DMQBx3YV3+k4NalggkzYTAttQumr1Kf85b4xbsiQZA+oDTpiBed5G bJW8eR6UEPM7OBhwoHgLxEAotjMgTAdldAO5P6OPoEmkklQLCqvqCqvDAJx/wUKH CijoQW0WgMTUVjbvR5VpIcnOGcD4ebiARi1pWifOpZgJjjUIe6SP9XDgLijw0wEZ rbsmlptLJ9+N13BRy2ILevJMTw+LkpBz05l0DCZl89flTnGmgjZ6H1/Cft3IFchG njd1mL7tS04= =ezzp -----END PGP SIGNATURE-----