Operating System:

[LINUX]

Published:

02 December 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.4083
        Security Bulletin: IBM QRadar SIEM Application Framework v1
                         (CentOS6) is End of Life
                              2 December 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM QRadar SIEM
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Root Compromise                 -- Remote with User Interaction
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Overwrite Arbitrary Files       -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-27219 CVE-2021-3572 CVE-2021-3450
                   CVE-2021-3449 CVE-2020-1971 CVE-2019-20916
                   CVE-2019-12749 CVE-2019-12735 CVE-2019-11745
                   CVE-2019-9636 CVE-2019-3863 CVE-2019-3857
                   CVE-2019-3856 CVE-2019-3855 CVE-2019-1559
                   CVE-2018-12384 CVE-2018-12020 CVE-2018-10897
                   CVE-2017-15804  

Reference:         ESB-2021.4058

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6520674

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life

Document Information

Document number    : 6520674
Modified date      : 30 November 2021
Product            : IBM QRadar SIEM
Software version   : 7.3, 7.4
Operating system(s): Linux

Summary

IBM QRadar SIEM's App Framework V1, based on CentOS 6, contains known
vulnerabilities and is based on technologies that are no longer being
supported.

Vulnerability Details

CVEID: CVE-2019-9636
DESCRIPTION: Python urllib.parse.urlsplit and urllib.parse.urlparse components
could allow a remote attacker to obtain sensitive information, caused by
improper unicode encoding handling in NFKC normalization. By using a
specially-crafted URL, an attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2021-27219
DESCRIPTION: GNOME GLib could allow a remote attacker to cause a denial of
service, caused by an integer overflow in the g_bytes_new function. An attacker
could exploit this vulnerability to corrupt memory and cause a denial of
service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196782 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10897
DESCRIPTION: reposync could allow a remote attacker to traverse directories on
the system, caused by the improper sanitation of paths in remote repository
configuration files. By persuading a victim to open a specially crafted file,
an attacker could exploit this vulnerability using path traversal to overwrite
critical system files and compromise the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
147685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11745
DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla
Firefox could allow a remote attacker to execute arbitrary code on the system,
caused by an out-of-bounds write when encrypting with a block cipher. By
persuading a victim to visit a specially-crafted Web site, a remote attacker
could exploit this vulnerability to corrupt the heap and execute arbitrary code
on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172458 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-12020
DESCRIPTION: GnuPG could allow a remote attacker to conduct spoofing attacks,
caused by the improper handling of the original filename during decryption and
verification actions in mainproc.c. An attacker could exploit this
vulnerability to spoof the output that GnuPG sends on file descriptor 2 to
other programs that use the --status-fd 2 option.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
144556 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2019-12749
DESCRIPTION: D-Bus could allow a remote attacker to bypass security
restrictions, caused by symlink mishandling in the reference implementation of
DBUS_COOKIE_SHA1 in the libdbus library. By manipulating a ~/.dbus-keyrings
symlink, an attacker could exploit this vulnerability to bypass
DBUS_COOKIE_SHA1 authentication to allow a DBusServer with a different uid to
read and write in arbitrary locations.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2017-15804
DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer
overflow, caused by improper bounds checking by glob function in glob.c. By
using a specially-crafted file, a local attacker could overflow a buffer.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
133996 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2019-3863
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow in user authenticate keyboard
interactive. By sending a specially crafted message, a remote attacker could
exploit this vulnerability to trigger an out-of-bounds write and execute
arbitrary code on the client system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158347 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-3857
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow. By sending a specially crafted
SSH_MSG_CHANNEL_REQUEST packet with an exit signal message, a remote attacker
could exploit this vulnerability to trigger an out-of-bounds write and execute
arbitrary code on the client system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158341 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-3856
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow in keyboard interactive handling. By
sending a specially crafted request, a remote attacker could exploit this
vulnerability to trigger an out-of-bounds write and execute arbitrary code on
the client system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158340 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-3855
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow in transport read. By sending
specially crafted packets, a remote attacker could exploit this vulnerability
to trigger an out-of-bounds read and execute arbitrary code on the client
system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-12384
DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla
Firefox, could allow a remote attacker to obtain sensitive information, caused
by the improper handling of an SSLv2-compatible ClientHello message. By
conducting a passive replay attack, an attacker could exploit this
vulnerability to obtain sensitive information.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
150436 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2019-1559
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by the failure to immediately close the TCP connection
after the hosts encounter a zero-length record with valid padding. An attacker
could exploit this vulnerability using a 0-byte record padding-oracle attack to
decrypt traffic.
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

CVEID: CVE-2020-1971
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME,
an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
192748 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2021-3449
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference in signature_algorithms processing. By sending a specially
crafted renegotiation ClientHello message from a client, a remote attacker
could exploit this vulnerability to cause the TLS server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2021-3450
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security
restrictions, caused by a a missing check in the validation logic of X.509
certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid
certificate or certificate chain to sign a specially crafted certificate, an
attacker could bypass the check that non-CA certificates must not be able to
issue other certificates and override the default purpose.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198754 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID: CVE-2021-3572
DESCRIPTION: pip package for python could allow a remote authenticated attacker
to bypass security restrictions, caused by the improper handling of Unicode
separators in git references. By creating a specially crafted tag, an attacker
could exploit this vulnerability to install a different revision on a
repository.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
208954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2019-20916
DESCRIPTION: pypa pip package for python could allow a remote attacker to
traverse directories on the system, caused by a flaw when installing package
via a specified URL. An attacker could use a specially-crafted
Content-Disposition header with filename containing "dot dot" sequences (/../)
to overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
187855 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)

CVEID: CVE-2019-12735
DESCRIPTION: Vim and and Neovim could allow a remote attacker to execute
arbitrary commands on the system, caused by improper input validation by the
:source! command in a modeline. By sending a specially-crafted request, an
attacker could exploit this vulnerability to execute arbitrary commands on the
system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162255 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM QRadar SIEM 7.3.0 to 7.3.3 FP 10

IBM QRadar SIEM 7.4.0 to 7.4.3 FP 4

Remediation/Fixes

Customers should remove all CentOS 6 apps from their QRadar deployment or
upgrade to UBI 8 versions. Apps can be uninstalled via Extension Management.

To ensure all CentOS 6 apps are removed and to prevent installation of CentOS 6
apps in the future, follow the guidelines at http://ibm.biz/qradarcentos6 on
supported QRadar versions. In a future version of QRadar, this will be the
default state.

Workarounds and Mitigations

Upgrade apps to UBI8 versions and manually uninstall any remaining CentOS 6
based apps from your QRadar installation.

Change History

26 Nov 2021: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYahOqONLKJtyKPYoAQij+A/+JukrX3WeqEZ6eTahUcd5zuiK44CZiDTY
6BKiZueIofW6GREiWm1+9N9MZYebeJDEUK62TUYnStXJ7TpZxULuGjsAeD/oW9Ts
h8StKZ8NGx6JthyeCYDq5BbQ46TW4mro2Hsky9Ys0ztDJINoMdnj0liQ25mM1l2A
k24E2OGkxoEQsL3Z0vLBOpVMnHloPFP0UQ9sA+eN8n7MT0A3Ez/TF/eGP0Rbiur4
XCD6bx14FM19ZYSCwfSyd/vjIb2P5E0TkLAkFiNrubo8E9E86DzG3PlLaAHw0+bC
ns1nmZHXajUMKt32u/Gp7kuC9sgr9d079XM/SIw4TjUmlDKVOY0ftljWKFv6CTjr
/ERXa8XG+FrWmLVUO5frOCD4CIFDu3G4U6hiWXfjWd8i9re6D6UjQdvRdZdTYE+J
FCwp8iMhKgOyt0heRujWpJwAHVPw62upDG8p+bKYnoUteKvgau+bvNAHy83yfKdQ
EDyeK7hG0Ud0aq8XN/s7w9wM40pLfT+JR+zGgJHcVXtR5SnoQaZTFPXX6VX3AEef
O1eJ6XrZmTd3T1Uwvf23HuyEEAGJylfS8zK5goPEuLE90r9a6/KfcYcSaZzjV0EG
8hp8RpoMHkvGQOJn9IAbiijjeWQNwSS1GbwePI+h/KTftWcOA2vol8g2iB27hvGr
by9C4jivhnI=
=5E2F
-----END PGP SIGNATURE-----