Security Bulletin: Multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise

Summary

Multiple vulnerabilities have been identified in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and in supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.

Vulnerability Details

This security bulletin covers multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. It addresses other vulnerabilities including the IBM SDK, Java Technology Edition October 2015. This security bulletin covers also the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol vulnerability.

CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-4872**
DESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107361 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-4734**
DESCRIPTION:** An unspecified vulnerability related to the JGSS component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107356 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-5006**
DESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106309 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2015-4947 DESCRIPTION: IBM HTTP Server Administration Server could be vulnerable to a stack buffer overflow, caused by improper handling of user input. An authenticated remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104912 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-4938 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to spoof a servlet. An attacker could exploit this vulnerability to persuade the user into entering sensitive information.
CVSS Base Score: 3.5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104415&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT cipher suite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-3183 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104844 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2015-2017 DESCRIPTION: IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103991&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-1932**
DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise could allow a remote attacker to obtain information that identifies the proxy server software being used.
CVSS Base Score: 5
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102970&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-3646
Description: OpenStack Keystone could allow a remote attacker to obtain sensitive information, caused by the logging of the backend argument configuration option content. An attacker with read access could exploit this vulnerability to obtain sensitive information about specific backends.
CVSS Base Score: 4.300
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/102922 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1788 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103778 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Affected Principal Product and Versions

| Affected Supporting Product and Version
—|—
IBM Cloud Orchestrator 2.4, 2.4.0.1 and 2.4.0.2 and 2.4.0.2 Interim Fix1| IBM Business Process Manager Standard 8.5.0.1
IBM HTTP Server 8.5.5
IBM Tivoli System Automation Application Manager 4.1
IBM Tivoli System Automation for Multiplatforms 4.1
IBM Endpoint Manager for Patch Management 9.1
IBM DB2 Enterprise Server Edition 10.5.0.2
IBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.2 Interim Fix1 | IBM Business Process Manager Standard 8.5.0.1
IBM HTTP Server 8.5.5
IBM Tivoli System Automation Application Manager 4.1
IBM Tivoli System Automation for Multiplatforms 4.1
IBM Endpoint Manager for Patch Management 9.1
IBM DB2 Enterprise Server Edition 10.5.0.2
IBM SmartCloud Cost Management 2.1.0.4
IBM Tivoli Monitoring 6.3.0.2

Remediation/Fixes

The recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available.

If you are running IBM Cloud Orchestrator 2.4, 2.4.0.1 or 2.4.0.2, 2.4.0.2 Interim Fix1** **upgrade to IBM Cloud Orchestrator 2.4 Fix Pack 3** (2.4.0.3)**.

For affected supporting products shipped with IBM Cloud Orchestrator consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment.

| Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator
IBM Tivoli System Automation Application Manager| 4.1| Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator
IBM Tivoli System Automation for Multiplatforms| 4.1| Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator
IBM DB2 Enterprise Server Edition| 10.5.0.2| Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator
IBM Endpoint Manager for Patch Management| 9.1| Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator

If you are running IBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1 or 2.4.0.2, 2.4.0.2 Interim Fix1 upgrade to** **IBM Cloud Orchestrator Enterprise 2.4 Fix Pack 3 (2.4.0.3)

For affected supporting products shipped with IBM Cloud Orchestrator Enterprise, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment.

Note: You should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.

Workarounds and Mitigations

None