Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1307
IBM QRadar receives multiple security updates
15 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: QRadar
Publisher: IBM
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4274 CVE-2020-4269 CVE-2020-4268
CVE-2020-4151 CVE-2019-4654 CVE-2019-4594
CVE-2019-2989 CVE-2019-2981 CVE-2019-2975
CVE-2019-2973 CVE-2019-2964 CVE-2017-3164
Reference: ASB-2019.0294
ESB-2020.0059
ESB-2019.4376
ESB-2019.0450
Original Bulletin:
https://www.ibm.com/support/pages/node/6189675
https://www.ibm.com/support/pages/node/6189723
https://www.ibm.com/support/pages/node/6189717
https://www.ibm.com/support/pages/node/6189705
https://www.ibm.com/support/pages/node/6189735
https://www.ibm.com/support/pages/node/6189639
https://www.ibm.com/support/pages/node/6189741
https://www.ibm.com/support/pages/node/6189711
Comment: This bulletin contains eight (8) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM QRadar SIEM is vulnerable to improper input validation
(CVE-2020-4151)
Document Information
Modified date: 14 April 2020
UID: ibm16189675
Summary
IBM QRadar SIEM is vulnerable to improper input validation, allowing an
authenticated attacker to perform unauthorized actions
Vulnerability Details
CVEID: CVE-2020-4151
DESCRIPTION: IBM QRadar could allow an authenticated attacker to perform
unauthorized actions due to improper input validation.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174201 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 2
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Acknowledgement
IBM X-Force Ethical Hacking Team: Brad Sherrill, Rodney Ryan, John Zuccato,
Jonathan Fitz-gerald, Chris Shepherd, Troy Fisher, Vincent Dragnea, Nathan
Roane, Elaheh Samani, and Kamil Sarbinowski
Change History
07 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM is vulnerable to invalid certificate
validation (CVE-2019-4654)
Document Information
Modified date: 14 April 2020
UID: ibm16189723
Summary
IBM QRadar SIEM does not validate, or incorrectly validates, a certificate.
Vulnerability Details
CVEID: CVE-2019-4654
DESCRIPTION: IBM QRadar does not validate, or incorrectly validates, a
certificate which could allow an attacker to spoof a trusted entity by using a
man-in-the-middle (MITM) attack.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
170965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 2
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Change History
14 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java
Runtime affect IBM QRadar SIEM
Document Information
Modified date: 14 April 2020
UID: ibm16189717
Summary
There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 8 and IBM Runtime Environment Java Version 8 used by IBM QRadar SIEM.
IBM QRadar SIEM has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2019-2989
DESCRIPTION: An unspecified vulnerability in Java SE could allow an
unauthenticated attacker to cause no confidentiality impact, high integrity
impact, and no availability impact.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)
CVEID: CVE-2019-2975
DESCRIPTION: An unspecified vulnerability in Java SE related to the Scripting
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2019-2981
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169287 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2973
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-2964
DESCRIPTION: An unspecified vulnerability in Java SE related to the
Concurrency component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 1
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 2 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Change History
14 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM is vulenrable to Authorization bypass
(CVE-2020-4274)
Document Information
Modified date: 14 April 2020
UID: ibm16189705
Summary
IBM QRadar SIEM is vulenrable to Authorization bypass
Vulnerability Details
CVEID: CVE-2020-4274
DESCRIPTION: IBM QRadar SIEM could allow an authenticated user to access data
and perform unauthorized actions due to inadequate permission checks.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175980 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 2
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Acknowledgement
The vulnerability was reported to IBM by Yorick Koster
Change History
14 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure
(CVE-2019-4594)
Document Information
Modified date: 14 April 2020
UID: ibm16189735
Summary
IBM QRadar could allow a remote attacker to obtain sensitive information,
caused by the failure to properly enable HTTP Strict Transport Security
Vulnerability Details
CVEID: CVE-2019-4594
DESCRIPTION: IBM QRadar could allow a remote attacker to obtain sensitive
information, caused by the failure to properly enable HTTP Strict Transport
Security. An attacker could exploit this vulnerability to obtain sensitive
information using man in the middle techniques.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167810 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 1
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 2 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Change History
14 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM is vulnerable to cross site scripting (XSS)
(CVE-2020-4268)
Document Information
Modified date: 14 April 2020
UID: ibm16189639
Summary
IBM QRadar SIEM is vulnerable to cross site scripting
Vulnerability Details
CVEID: CVE-2020-4268
DESCRIPTION: IBM QRadar is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175841 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 2
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Acknowledgement
The vulnerability was reported to IBM by Mohammed Shameem Shahnawaz
Change History
06 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known
Vulnerabilities (CVE-2017-3164)
Document Information
Modified date: 14 April 2020
UID: ibm16189741
Summary
IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities
Vulnerability Details
CVEID: CVE-2017-3164
DESCRIPTION: Apache Solr is vulnerable to server-side request forgery, caused
by not having corresponding whitelist mechanism in the shards parameter. By
using a specially-crafted argument, an attacker could exploit this
vulnerability to conduct SSRF attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156956 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 1
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 2 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Off
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
14 Apr 2020: Initial Publication
- -------------------------------------------------------------------------------
Security Bulletin: IBM QRadar SIEM contains hard-coded credentials
(CVE-2020-4269)
Document Information
Modified date: 14 April 2020
UID: ibm16189711
Summary
IBM QRadar SIEM contains hard-coded credentials
Vulnerability Details
CVEID: CVE-2020-4269
DESCRIPTION: IBM QRadar contains hard-coded credentials, such as a password
or cryptographic key, which it uses for its own inbound authentication,
outbound communication to external components, or encryption of internal data.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
- - IBM QRadar 7.3.0 to 7.3.3 Patch 2
Remediation/Fixes
- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)
NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions
Workarounds and Mitigations
None
Acknowledgement
The vulnerability was reported to IBM by Yorick Koster
Change History
14 Apr 2020: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXpaeNmaOgq3Tt24GAQiE/g//feHfXduy/iGqLpeLWlRB3kiByjxLloH7
Y1L983k8di2mImPSD/CIzOnHJIz2/V4WRdV/SD014gpexPM6+2R/fp2P79lntFyK
x4X0eozsOaWXl5ZaSgGmqzzUM2KTTPpoYnFFcdj9sj1xxwIgajEHQP84e7gjveoP
siKym8giDoKd/lmpxMmTPPYMLHEeU9A+EkFUqwAJzPIYel1MdUi6ZQfJWxQnCQIV
hDeVrpa8kUXva/DMjE18NCbnIuofWaAYsWcc6M8ohDg+FZ1if7yBjXyyxbhCi9bN
rSSs35mpOrb3jD1hVD9+8Q4uYF93R395viDdK8bDmzXz1LUep4zEcGqD0p6Vr+6L
V5PFKwb4MHGMIBO0+VNRMTa1KxzwCEQHExnqfuaODAMpXiSon3m6nDB2uRpYtjkn
q39Caq6uGgghN4LCjnrdAaLc4i+Fitvgv/nOFclv6axbSiGkqPZLEzxFUPP81oZW
BPfhv54KeVualA0TvYmzQo3uWeF4TJe9WHxpFSntEBxpAzCLG3M0DnznVMBbZt2S
Qs73urBzxTrj5tNr3iX2cJcy6OV+JDWTp0k2u48IK+6Ev/pPC45NxLDe4Vd5B0La
GfTtJj7a+UVGp3hhX54KfbWFEronnk9houoV0dClWXEl3+Vd5y4REAJyRAytiVfB
EXb2CPm93Gs=
=uHsC
-----END PGP SIGNATURE-----