-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1307
               IBM QRadar receives multiple security updates
                               15 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           QRadar
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Cross-site Scripting           -- Existing Account      
                   Access Confidential Data       -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-4274 CVE-2020-4269 CVE-2020-4268
                   CVE-2020-4151 CVE-2019-4654 CVE-2019-4594
                   CVE-2019-2989 CVE-2019-2981 CVE-2019-2975
                   CVE-2019-2973 CVE-2019-2964 CVE-2017-3164

Reference:         ASB-2019.0294
                   ESB-2020.0059
                   ESB-2019.4376
                   ESB-2019.0450

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6189675
   https://www.ibm.com/support/pages/node/6189723
   https://www.ibm.com/support/pages/node/6189717
   https://www.ibm.com/support/pages/node/6189705
   https://www.ibm.com/support/pages/node/6189735
   https://www.ibm.com/support/pages/node/6189639
   https://www.ibm.com/support/pages/node/6189741
   https://www.ibm.com/support/pages/node/6189711

Comment: This bulletin contains eight (8) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to improper input validation
(CVE-2020-4151)

Document Information

Modified date: 14 April 2020
UID: ibm16189675

Summary

IBM QRadar SIEM is vulnerable to improper input validation, allowing an
authenticated attacker to perform unauthorized actions

Vulnerability Details

CVEID:   CVE-2020-4151
DESCRIPTION:   IBM QRadar could allow an authenticated attacker to perform
unauthorized actions due to improper input validation.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174201 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 2

Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None


Acknowledgement

IBM X-Force Ethical Hacking Team: Brad Sherrill, Rodney Ryan, John Zuccato,
Jonathan Fitz-gerald, Chris Shepherd, Troy Fisher, Vincent Dragnea, Nathan
Roane, Elaheh Samani, and Kamil Sarbinowski

Change History

07 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to invalid certificate
validation (CVE-2019-4654)

Document Information

Modified date: 14 April 2020
UID: ibm16189723

Summary

IBM QRadar SIEM does not validate, or incorrectly validates, a certificate.

Vulnerability Details

CVEID:   CVE-2019-4654
DESCRIPTION:   IBM QRadar does not validate, or incorrectly validates, a
certificate which could allow an attacker to spoof a trusted entity by using a
man-in-the-middle (MITM) attack.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
170965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 2


Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Change History

14 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java
Runtime affect IBM QRadar SIEM

Document Information

Modified date: 14 April 2020
UID: ibm16189717

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition,
Version 8 and IBM Runtime Environment Java Version 8 used by IBM QRadar SIEM.
IBM QRadar SIEM has addressed the applicable CVEs.

Vulnerability Details

CVEID:   CVE-2019-2989
DESCRIPTION:   An unspecified vulnerability in Java SE could allow an
unauthenticated attacker to cause no confidentiality impact, high integrity
impact, and no availability impact.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169295 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

CVEID:   CVE-2019-2975
DESCRIPTION:   An unspecified vulnerability in Java SE related to the Scripting
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and low availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:   CVE-2019-2981
DESCRIPTION:   An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169287 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2019-2973
DESCRIPTION:   An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2019-2964
DESCRIPTION:   An unspecified vulnerability in Java SE related to the
Concurrency component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 1

Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 2 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Change History

14 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM is vulenrable to Authorization bypass
(CVE-2020-4274)

Document Information

Modified date: 14 April 2020
UID: ibm16189705

Summary

IBM QRadar SIEM is vulenrable to Authorization bypass

Vulnerability Details

CVEID:   CVE-2020-4274
DESCRIPTION:   IBM QRadar SIEM could allow an authenticated user to access data
and perform unauthorized actions due to inadequate permission checks.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175980 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 2

Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Acknowledgement

The vulnerability was reported to IBM by Yorick Koster

Change History

14 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure
(CVE-2019-4594)

Document Information

Modified date: 14 April 2020
UID: ibm16189735

Summary

IBM QRadar could allow a remote attacker to obtain sensitive information,
caused by the failure to properly enable HTTP Strict Transport Security

Vulnerability Details

CVEID:   CVE-2019-4594
DESCRIPTION:   IBM QRadar could allow a remote attacker to obtain sensitive
information, caused by the failure to properly enable HTTP Strict Transport
Security. An attacker could exploit this vulnerability to obtain sensitive
information using man in the middle techniques.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167810 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 1


Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 2 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Change History

14 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to cross site scripting (XSS)
(CVE-2020-4268)

Document Information

Modified date: 14 April 2020
UID: ibm16189639

Summary

IBM QRadar SIEM is vulnerable to cross site scripting

Vulnerability Details

CVEID:   CVE-2020-4268
DESCRIPTION:   IBM QRadar is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175841 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 2


Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Acknowledgement

The vulnerability was reported to IBM by Mohammed Shameem Shahnawaz

Change History

06 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known
Vulnerabilities (CVE-2017-3164)

Document Information

Modified date: 14 April 2020
UID: ibm16189741

Summary

IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

Vulnerability Details

CVEID:   CVE-2017-3164
DESCRIPTION:   Apache Solr is vulnerable to server-side request forgery, caused
by not having corresponding whitelist mechanism in the shards parameter. By
using a specially-crafted argument, an attacker could exploit this
vulnerability to conduct SSRF attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156956 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 1


Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 2 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

14 Apr 2020: Initial Publication

- -------------------------------------------------------------------------------

Security Bulletin: IBM QRadar SIEM contains hard-coded credentials
(CVE-2020-4269)

Document Information

Modified date: 14 April 2020
UID: ibm16189711

Summary

IBM QRadar SIEM contains hard-coded credentials

Vulnerability Details

CVEID:   CVE-2020-4269
DESCRIPTION:   IBM QRadar contains hard-coded credentials, such as a password
or cryptographic key, which it uses for its own inbound authentication,
outbound communication to external components, or encryption of internal data.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

- - IBM QRadar 7.3.0 to 7.3.3 Patch 2

Remediation/Fixes

- - QRadar / QRM / QVM / QNI 7.4.0 GA (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 (SFS)
- - QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7(SFS)
- - QRadar Incident Forensics 7.4.0 (ISO)
- - QRadar Incident Forensics 7.4.0 (SFS)

NOTE: Administrators with QRadar Incident Forensics should be aware that a new
ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics
7.4.0 versions

Workarounds and Mitigations

None

Acknowledgement

The vulnerability was reported to IBM by Yorick Koster

Change History

14 Apr 2020: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpaeNmaOgq3Tt24GAQiE/g//feHfXduy/iGqLpeLWlRB3kiByjxLloH7
Y1L983k8di2mImPSD/CIzOnHJIz2/V4WRdV/SD014gpexPM6+2R/fp2P79lntFyK
x4X0eozsOaWXl5ZaSgGmqzzUM2KTTPpoYnFFcdj9sj1xxwIgajEHQP84e7gjveoP
siKym8giDoKd/lmpxMmTPPYMLHEeU9A+EkFUqwAJzPIYel1MdUi6ZQfJWxQnCQIV
hDeVrpa8kUXva/DMjE18NCbnIuofWaAYsWcc6M8ohDg+FZ1if7yBjXyyxbhCi9bN
rSSs35mpOrb3jD1hVD9+8Q4uYF93R395viDdK8bDmzXz1LUep4zEcGqD0p6Vr+6L
V5PFKwb4MHGMIBO0+VNRMTa1KxzwCEQHExnqfuaODAMpXiSon3m6nDB2uRpYtjkn
q39Caq6uGgghN4LCjnrdAaLc4i+Fitvgv/nOFclv6axbSiGkqPZLEzxFUPP81oZW
BPfhv54KeVualA0TvYmzQo3uWeF4TJe9WHxpFSntEBxpAzCLG3M0DnznVMBbZt2S
Qs73urBzxTrj5tNr3iX2cJcy6OV+JDWTp0k2u48IK+6Ev/pPC45NxLDe4Vd5B0La
GfTtJj7a+UVGp3hhX54KfbWFEronnk9houoV0dClWXEl3+Vd5y4REAJyRAytiVfB
EXb2CPm93Gs=
=uHsC
-----END PGP SIGNATURE-----