-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4357 Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693) 10 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Liberty for Java Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-10693 Reference: ESB-2020.3686 ESB-2020.3557 Original Bulletin: https://www.ibm.com/support/pages/node/6380400 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693) Document Information Document number : 6380400 Modified date : 09 December 2020 Product : Liberty for Java Software version : All Operating system(s): Linux Summary There is a vulnerability in the Hibernate Validator library used by WebSphere Application Server Liberty. Vulnerability Details CVEID: CVE-2020-10693 DESCRIPTION: Hibernate Hibernate Validator could allow a remote attacker to bypass security restrictions, caused by a flaw in the message interpolation processor. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass input sanitation controls when handling user-controlled data in error messages. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 182240 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |Liberty for Java |3.49 | +--------------------+----------+ Remediation/Fixes To upgrade to Liberty for Java v3.51-20201113-1351 or higher, you must re-stage or re-push your application To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands: cf ssh -c "cat staging_info.yml" Look for the following lines: {"detected_buildpack":"Liberty for Java(TM) (WAR, liberty-20.0.0_9, buildpack-v3.49-20200918-0244, ibmjdk-1.8.0_sr6fp15-20200724, env) ","start_command":".liberty/initial_startup.rb"} To re-stage your application using the command-line Cloud Foundry client, use the following command: cf restage To re-push your application using the command-line Cloud Foundry client, use the following command: cf push Workarounds and Mitigations None Change History 09 Dec 2020: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX9F6E+NLKJtyKPYoAQjWcQ/6AjF7I2/ZWiebwW2TzGK3Vwj0CC80KNU6 A67P42yEf12sI7c73D+I76UqsH7kcYYx78fVD+m8nAuGAte6qNYv/Ueu5WEYaT2f cPNLGK1xcNWkP8NFEegtrhxiuRUfJwmbPvKNgX2uuGlGJDnUfuaJYvsfglm2iAmL RHTrKY/wnCxS0IY4Plv9j2NX1TSIsfSsE1rcvHrslXthBRVC/d9JEowtddIAq5zH 4TP3G8PGS/4iRxJj7lU3VZH/GKRcNmaVFMWbjZVumZNDvt6uauxheGPNbd4jt+cZ CpV4UMaEaCXo+ogkgVtvGnZcszCEJT9LIpiK/AM9aO99KNRmsxGDNvWLFMHOtpyl AflEMWbybSg58Ltkh2vXe02p0/qwVJsMx/lcdb3Xf088OPl0MwSxpyfjZ6nxnuCl wwAMFePD0WZelFZogeNhCeunlAXEqRtpc/F6G48Obrmd4tKoSvodslKOa3em1vGs g8VNIJzB+iVMbNRJ6/JUAcbkvUheP1YjKU6bH0ustgM4j8zZwtEbzGfMh2Tzh5yj IsWpvj5oWK5Nc0FsGuMn6Pj1wb/MNZfuHp7Of4ShVw7iR86sARwpqQzfLLxq/XYG xhRJNsf38nQGplOBLv3C/IGR+1azb6f+WVFp/AoWJi3PAeOh1SO11t7lXFY/ATzo 4N30oqu/HKA= =H1w5 -----END PGP SIGNATURE-----
The post ESB-2020.4357 – [Linux] Liberty for Java: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2020/12/10/esb-2020-4357-linux-liberty-for-java-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-4357-linux-liberty-for-java-multiple-vulnerabilities
No comments:
Post a Comment