Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4083 Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life 2 December 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM QRadar SIEM Publisher: IBM Operating System: Linux variants Impact/Access: Root Compromise -- Remote with User Interaction Execute Arbitrary Code/Commands -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-27219 CVE-2021-3572 CVE-2021-3450 CVE-2021-3449 CVE-2020-1971 CVE-2019-20916 CVE-2019-12749 CVE-2019-12735 CVE-2019-11745 CVE-2019-9636 CVE-2019-3863 CVE-2019-3857 CVE-2019-3856 CVE-2019-3855 CVE-2019-1559 CVE-2018-12384 CVE-2018-12020 CVE-2018-10897 CVE-2017-15804 Reference: ESB-2021.4058 Original Bulletin: https://www.ibm.com/support/pages/node/6520674 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life Document Information Document number : 6520674 Modified date : 30 November 2021 Product : IBM QRadar SIEM Software version : 7.3, 7.4 Operating system(s): Linux Summary IBM QRadar SIEM's App Framework V1, based on CentOS 6, contains known vulnerabilities and is based on technologies that are no longer being supported. Vulnerability Details CVEID: CVE-2019-9636 DESCRIPTION: Python urllib.parse.urlsplit and urllib.parse.urlparse components could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling in NFKC normalization. By using a specially-crafted URL, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158114 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2021-27219 DESCRIPTION: GNOME GLib could allow a remote attacker to cause a denial of service, caused by an integer overflow in the g_bytes_new function. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 196782 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-10897 DESCRIPTION: reposync could allow a remote attacker to traverse directories on the system, caused by the improper sanitation of paths in remote repository configuration files. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability using path traversal to overwrite critical system files and compromise the system. CVSS Base score: 8.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 147685 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-11745 DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write when encrypting with a block cipher. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to corrupt the heap and execute arbitrary code on the vulnerable system or cause a denial of service. CVSS Base score: 8.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172458 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2018-12020 DESCRIPTION: GnuPG could allow a remote attacker to conduct spoofing attacks, caused by the improper handling of the original filename during decryption and verification actions in mainproc.c. An attacker could exploit this vulnerability to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the --status-fd 2 option. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144556 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2019-12749 DESCRIPTION: D-Bus could allow a remote attacker to bypass security restrictions, caused by symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. By manipulating a ~/.dbus-keyrings symlink, an attacker could exploit this vulnerability to bypass DBUS_COOKIE_SHA1 authentication to allow a DBusServer with a different uid to read and write in arbitrary locations. CVSS Base score: 9.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162386 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) CVEID: CVE-2017-15804 DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer overflow, caused by improper bounds checking by glob function in glob.c. By using a specially-crafted file, a local attacker could overflow a buffer. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 133996 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2019-3863 DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in user authenticate keyboard interactive. By sending a specially crafted message, a remote attacker could exploit this vulnerability to trigger an out-of-bounds write and execute arbitrary code on the client system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158347 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-3857 DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit signal message, a remote attacker could exploit this vulnerability to trigger an out-of-bounds write and execute arbitrary code on the client system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158341 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-3856 DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in keyboard interactive handling. By sending a specially crafted request, a remote attacker could exploit this vulnerability to trigger an out-of-bounds write and execute arbitrary code on the client system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158340 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-3855 DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in transport read. By sending specially crafted packets, a remote attacker could exploit this vulnerability to trigger an out-of-bounds read and execute arbitrary code on the client system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158339 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2018-12384 DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by the improper handling of an SSLv2-compatible ClientHello message. By conducting a passive replay attack, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150436 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2019-1559 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic. CVSS Base score: 5.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) CVEID: CVE-2020-1971 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 192748 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2021-3449 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signature_algorithms processing. By sending a specially crafted renegotiation ClientHello message from a client, a remote attacker could exploit this vulnerability to cause the TLS server to crash. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 198752 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2021-3450 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a a missing check in the validation logic of X.509 certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid certificate or certificate chain to sign a specially crafted certificate, an attacker could bypass the check that non-CA certificates must not be able to issue other certificates and override the default purpose. CVSS Base score: 7.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 198754 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H) CVEID: CVE-2021-3572 DESCRIPTION: pip package for python could allow a remote authenticated attacker to bypass security restrictions, caused by the improper handling of Unicode separators in git references. By creating a specially crafted tag, an attacker could exploit this vulnerability to install a different revision on a repository. CVSS Base score: 4.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 208954 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N) CVEID: CVE-2019-20916 DESCRIPTION: pypa pip package for python could allow a remote attacker to traverse directories on the system, caused by a flaw when installing package via a specified URL. An attacker could use a specially-crafted Content-Disposition header with filename containing "dot dot" sequences (/../) to overwrite arbitrary files on the system. CVSS Base score: 8.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 187855 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) CVEID: CVE-2019-12735 DESCRIPTION: Vim and and Neovim could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation by the :source! command in a modeline. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162255 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM QRadar SIEM 7.3.0 to 7.3.3 FP 10 IBM QRadar SIEM 7.4.0 to 7.4.3 FP 4 Remediation/Fixes Customers should remove all CentOS 6 apps from their QRadar deployment or upgrade to UBI 8 versions. Apps can be uninstalled via Extension Management. To ensure all CentOS 6 apps are removed and to prevent installation of CentOS 6 apps in the future, follow the guidelines at http://ibm.biz/qradarcentos6 on supported QRadar versions. In a future version of QRadar, this will be the default state. Workarounds and Mitigations Upgrade apps to UBI8 versions and manually uninstall any remaining CentOS 6 based apps from your QRadar installation. Change History 26 Nov 2021: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYahOqONLKJtyKPYoAQij+A/+JukrX3WeqEZ6eTahUcd5zuiK44CZiDTY 6BKiZueIofW6GREiWm1+9N9MZYebeJDEUK62TUYnStXJ7TpZxULuGjsAeD/oW9Ts h8StKZ8NGx6JthyeCYDq5BbQ46TW4mro2Hsky9Ys0ztDJINoMdnj0liQ25mM1l2A k24E2OGkxoEQsL3Z0vLBOpVMnHloPFP0UQ9sA+eN8n7MT0A3Ez/TF/eGP0Rbiur4 XCD6bx14FM19ZYSCwfSyd/vjIb2P5E0TkLAkFiNrubo8E9E86DzG3PlLaAHw0+bC ns1nmZHXajUMKt32u/Gp7kuC9sgr9d079XM/SIw4TjUmlDKVOY0ftljWKFv6CTjr /ERXa8XG+FrWmLVUO5frOCD4CIFDu3G4U6hiWXfjWd8i9re6D6UjQdvRdZdTYE+J FCwp8iMhKgOyt0heRujWpJwAHVPw62upDG8p+bKYnoUteKvgau+bvNAHy83yfKdQ EDyeK7hG0Ud0aq8XN/s7w9wM40pLfT+JR+zGgJHcVXtR5SnoQaZTFPXX6VX3AEef O1eJ6XrZmTd3T1Uwvf23HuyEEAGJylfS8zK5goPEuLE90r9a6/KfcYcSaZzjV0EG 8hp8RpoMHkvGQOJn9IAbiijjeWQNwSS1GbwePI+h/KTftWcOA2vol8g2iB27hvGr by9C4jivhnI= =5E2F -----END PGP SIGNATURE-----