-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2824
Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect
WebSphere Application Server shipped with IBM Security
Access Manager for Enterprise Single Sign-On
17 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Access Manager for Enterprise Single Sign-On
Operating System: Windows
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2601 CVE-2020-2590
Reference: ASB-2020.0028
ESB-2020.2748
ESB-2020.2747
ESB-2020.2737
Original Bulletin:
https://www.ibm.com/support/pages/node/6260521
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Security Bulletin: Multiple Vulnerabilities in IBM(R) Java
SDK affect WebSphere Application Server shipped with IBM Security Access
Manager for Enterprise Single Sign-On July 2020 CPU plus deferred
CVE-2020-2590 and CVE-2020-2601
Document Information
Product : IBM Security Access Manager for Enterprise Single Sign-On
Software version : 8.2.1, 8.2.2
Operating system(s): Windows
Document number : 6260521
Modified date : 16 August 2020
Summary
IBM WebSphere Application Server is shipped with IBM Security Access Manager
for Enterprise Single Sign-On. Information about a security vulnerability
affecting IBM WebSphere Application Server has been published in a security
bulletin.
Vulnerability Details
CVEID: CVE-2020-2590
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Security component could allow an unauthenticated attacker to cause no
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/174538 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2020-2601
DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the
Java SE, Java SE Embedded Security component could allow an unauthenticated
attacker to obtain sensitive information resulting in a high confidentiality
impact using unknown attack vectors.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/174548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Products and Versions
+---------------------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+---------------------------------------------------------+----------+
|IBM Security Access Manager for Enterprise Single-Sign On|8.2 |
+---------------------------------------------------------+----------+
Remediation/Fixes
+--------------------+------------+------------------------------------------+
| | Affected | |
| Principal Product | Supporting | Affected Supporting Product Security |
| and Version(s) |Product and | Bulletin |
| | Version | |
+--------------------+------------+------------------------------------------+
|IBM Security Access |IBM |Security Bulletin: Multiple |
|Manager for |WebSphere |Vulnerabilities in IBM(R) Java SDK affect |
|Enterprise Single |Application |WebSphere Application Server July 2020 CPU|
|Sign-On 8.2.1 |Server 8.5 |plus deferred CVE-2020-2590 and |
| | |CVE-2020-2601 |
+--------------------+------------+------------------------------------------+
|IBM Security Access |IBM |Security Bulletin: Multiple |
|Manager for |WebSphere |Vulnerabilities in IBM(R) Java SDK affect |
|Enterprise Single |Application |WebSphere Application Server July 2020 CPU|
|Sign-On 8.2.2 |Server 8.5 |plus deferred CVE-2020-2590 and |
| | |CVE-2020-2601 |
+--------------------+------------+------------------------------------------+
Workarounds and Mitigations
None
Change History
06 Aug 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Document Location
Worldwide
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXzoXAeNLKJtyKPYoAQhDvQ/+PI9AD+/ioMPSpfGrUOaMqZRtUi0Idwyn
Bij78vsehQ5epIVdlUNcTEJHai8xPoIKCgo1wVNf3HETQac6w8ovrG8tSF0wdGMl
bxx4R5sDeiXhrPBtPHv1dbo1u3cGAqVE3vDLtRQi9X3kOy+zmHKipXsnCF7HR1jB
f9Wg+Q1ocHGyrgM6TA0/xFDSjhenEoTYLKCbZBr32w7PWWyVfkC7nlJmFOZ9qYtT
bDe1pKoKZSJSp9iZ501SZd1Xw29AIGRi2o0mqlozAor0/I+JJHjkaOVODBcg3BpV
DlH9k/XfQT+d4QADQn45aWxJGA781SepK1rdbqVa86GiGpPrmj0RQqrchkJDlWer
itkaH6j+jNPPT6hoblP0EKdbLe+ICGiiI/ZHn+L9OOPyyETIlPmkf58qaKb4pMLy
BQy/8XhP0jNTh5wqH+kdn45O/+T4pYdwyCJFxPmZB7gQjIuKKC7MXZe683zdkecL
NFBXjWfJfYUGHxjFAids5UJR38RWQ67ymD+FNMdXV3maxn0W7nvfC2wvCV6Vj9xR
fsUi41EaxAtfZI1JS55zdVgaSNRQETmmTHgDdTGxbbWkED2yngDVVe8KNrQ09lW0
atO/HQ0VU1DOiGTbe61qhDpKl1rF7mjKetoj8pmmKoSLXJ9PH+fk7lS+XIoUWGY+
WPd34j3e2vE=
=LAYH
-----END PGP SIGNATURE-----
https://www.malwaredevil.com/2020/08/17/esb-2020-2824-win-ibm-security-access-manager-for-enterprise-single-sign-on-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-2824-win-ibm-security-access-manager-for-enterprise-single-sign-on-multiple-vulnerabilities
No comments:
Post a Comment