Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator

Summary IBM Tivoli System Automation Application Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automati...

Security Bulletin: IBM SmartCloud Orchestrator - Keystone DoS through V3 API authentication chaining (CVE-2014-2828)

Summary By sending a single request with the same authentication method multiple times, a remote attacker might generate unwanted load on the Keystone host, which might potentially result in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected...

Security Bulletin: Log Viewer vulnerability affects IBM Workload Deployer, which is shipped with IBM SmartCloud Orchestrator (CVE-2014-6190)

Summary Log Viewer vulnerability affects IBM Workload Deployer, which is shipped with IBM SmartCloud Orchestrator CVE-2014-6190. Vulnerability Details For vulnerability details, see the IBM Workload Deployer Security Bulletin. Affected Products and Versions IBM SmartCloud Orchestrator 2.2 and 2.2...

Security Bulletin: File path traversal vulnerabilities affect IBM Workload Deployer shipped with IBM SmartCloud Orchestrator (CVE-2014-6158)

Summary File path traversal vulnerabilities affect IBM Workload Deployer, which is shipped with IBM SmartCloud Orchestrator CVE-2014-6158. Vulnerability Details Consult the Security Bulletin: File path traversal vulnerabilities affect IBM Workload Deployer CVE-2014-6158 document for vulnerability...

Security Bulletin: Vulnerability in Keystone affects IBM SmartCloud Orchestrator (CVE-2014-3520)

Summary Vulnerability in Keystone affects IBM SmartCloud Orchestrator CVE-2014-3520. Vulnerability Details Keystone V2 trusts privilege escalation through user supplied project ID. By using an out-of-scope project ID, a trustee might gain unauthorized access if the trustor has the required roles ...

Security Bulletin: Vulnerability in Keystone affects IBM SmartCloud Orchestrator (CVE-2014-3476)

Summary Vulnerability in Keystone affects IBM SmartCloud Orchestrator CVE-2014-3476. Vulnerability Details By creating a delegation from a trust or OAuth token, a trustee might abuse the identity impersonation against keystone and circumvent the enforced scope, which results in potential elevated...

Security Bulletin: Security vulnerability in IBM Business Process Manager shipped with IBM SmartCloud Orchestrator and IBM Cloud Orchestrator (CVE-2014-8730)

Summary IBM Business Process Manager and DB2 Enterprise Server Edition are shipped as components of IBM SmartCloud Orchestrator and IBM Cloud Orchestrator. Information about a security vulnerability CVE-2014-8730 affecting both IBM Business Process Manager and IBM DB2 has been published in a...

Security Bulletin: IBM SmartCloud Orchestrator - Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition ( CVE-2014-4263, CVE-2014-4244)

Summary Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition, which is shipped with IBM SmartCloud Orchestrator. Vulnerability Details CVEID: CVE-2014-4263 DESCRIPTION: An unspecified vulnerability in Oracle Java SE and JRockit that is related to the Security component...

Security Bulletin: Vulnerabilities in Django affect IBM SmartCloud Provisioning shipped with IBM SmartCloud Orchestrator (CVE-2014-0480, CVE-2014-0481, CVE-2014-0482, CVE-2014-0483).

Summary Vulnerabilities in Django affect IBM SmartCloud Provisioning, which is shipped with IBM SmartCloud Orchestrator CVE-2014-0480, CVE-2014-0481, CVE-2014-0482, CVE-2014-0483. Vulnerability Details Consult Vulnerabilities in Django affect SmartCloud Provisioning CVE 2014-0480, CVE 2014-0481,...

Security Bulletin: SmartCloud Orchestrator - Multiple security vulnerabilities exist in the IBM SDK, Java Technology Edition (CVE-2014-0453, CVE-2014-0460, CVE-2014-0878)

Summary Multiple security vulnerabilities exist in the IBM SDK, Java Technology Edition that is shipped with IBM SmartCloud Orchestrator. Vulnerability Details CVEID: CVE-2014-0453 DESCRIPTION: An unspecified vulnerability, which is related to the Security component, has partial confidentiality...

Security Bulletin: IBM SmartCloud Orchestrator - OpenStack Compute SSL information disclosure (CVE-2013-6491)

Summary An attacker might exploit this vulnerability using man-in-the-middle techniques to obtain sensitive information. The python-qpid client common/rpc/implqpid.py in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpidprotocol is set to ssl. It allows remote attackers to...

Security Bulletin: SmartCloud Orchestrator - Multiple security vulnerabilities exist in the IBM SDK, Java™ Technology Edition (CVE-2013-5802, CVE-2013-5772, CVE-2014-0411)

Summary IBM SmartCloud Orchestrator is shipped with an IBM SDK that is based on Oracle JDK. Oracle released October 2013 and January 2014 critical patch updates CPU, which contain security vulnerability fixes. IBM SDK, Java™ Technology Edition, has been updated to include those fixes. The IBM SDK...

Security Bulletin: Security vulnerabilities have been identified in IBM DB2, which shipped with IBM SmartCloud Orchestrator (CVE-2013-6747, CVE-2014-0963)

Summary IBM DB2 is shipped as a component of IBM SmartCloud Orchestrator. Information about security vulnerabilities affecting IBM DB2 have been published in a security bulletin. Vulnerability Details Review the IBM DB2 is impacted by multiple TLS/SSL security vulnerabilities CVE-2013-6747,...

Security Bulletin: IBM SmartCloud Orchestartor - Trustee token revocation does not work with memcache backend (CVE-2014-2237)

Summary When a trustor issues a trust token with impersonation enabled, the token is only added to the trustor's token list and not to the trustee's token list. This scenario results in the trust token not being invalidated by the trustee's token revocation bulk revocation. It is most noticeable...

Security Bulletin: SmartCloud Orchestrator is affected by the following OpenSSL vulnerabilities (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, CVE-2014-0076)

Summary Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. Vulnerability Details CVE-ID: CVE-2014-0224 DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, which is caused by the use of weak keying material in SSL/TLS...

Security Bulletin: IBM SmartCloud Orchestrator - Nova compute DoS through ephemeral disk backing files (CVE-2013-6437)

Summary By repeatedly creating snapshots, changing the ostype to a new random value, and spawning new instances from the snapshot and quickly deleting those instances, an authenticated user might generate lots of different ephemeral disk backing files. These files than fill up compute node disks,...

Security Bulletin: Potential Nova denial of service through compressed disk images (CVE-2013-4463, CVE-2013-4469)

Summary By using malicious compressed qcow2 disk images, an authenticated user might consume large amounts of disk space for each image. This scenario can potentially result in a Denial of Service attack on Nova compute nodes CVE-2013-4463. In the non-default case where usecowimages=False and...

Security Bulletin: IBM SmartCloud Orchestrator is affected by a vulnerability in OpenSSL (CVE-2014-0160)

Summary A security vulnerability has been discovered in OpenSSL. Vulnerability Details CVE-ID: CVE-2014-0160 DESCRIPTION: OpenSSL might allow a remote attacker to obtain sensitive information, which is caused by an error in the TLS/DTLS heartbeat functionality. An attacker might exploit this...

Security Bulletin: Nova live snapshots use an insecure local directory (CVE-2013-7048)

Summary The directories that are used to temporarily store live snapshots on Nova compute nodes are writable to all local users. A local attacker with shell access on the compute nodes might, therefore, read and modify the contents of live snapshots before those files are uploaded to the image...

Security Bulletin: Vulnerability in common-collections affects IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM SmartCloud Provisioning for IBM Software Virtual Appliance. Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute...