Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2018-1058, CVE-2018-10936, CVE-2019-9193)

Security Bulletin

Summary

IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerabilities 3 issues for Postgresql: 1 for a flaw in the search_path setting2, 1 for a failure to check the host name if a host name verifier was not provided to the driver and 1 for a flaw in the COPY TO/FROM PROGRAM function.

Vulnerability Details

CVEID: CVE-2018-1058
DESCRIPTION: Postgresql could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the search_path setting. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code with the permissions of superuser in the database.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/139844 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-10936
DESCRIPTION: Postgresql is vulnerable to a man-in-the-middle attack, caused by the failure to check the host name if a host name verifier was not provided to the driver. By using a specially-crafted SSL certificate, an attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/149157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID: CVE-2019-9193
DESCRIPTION: PostgreSQL could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the COPY TO/FROM PROGRAM function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of the database's operating system user.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159212 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Identity Governance and Intelligence	5.2.6

Remediation/Fixes

Affected Product(s)	Version(s)	First Fix
IBM Security Identity Governance and Intelligence	5.2.6	5.2.6.0-ISS-SIGI-FP0001

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Kamil Sarbinowski, Vince Dragnea, Troy Fisher and Elaheh Samani from IBM X-Force Ethical Hacking Team.

Change History

10 Mar 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGHJR","label":"IBM Security Identity Governance and Intelligence"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"5.2.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2018-1058, CVE-2018-10936, CVE-2019-9193)