Lucene search

K
ibmIBM05996CA3681F693A59525A2CFB7913B00FD3EC80FA9669C448A3B527653DAB6F
HistoryMay 02, 2023 - 10:53 p.m.

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Thrift

2023-05-0222:53:35
www.ibm.com
17

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.059 Low

EPSS

Percentile

93.3%

Summary

IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Apache Thrift.

Vulnerability Details

CVEID:CVE-2019-0205
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by an error when processing untrusted Thrift payload. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-0210
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by an out-of-bounds read in a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol. A remote attacker could exploit this vulnerability to cause the application to panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-13949
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause a large memory allocation.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196738 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Watson Discovery 4.0.0-4.6.3

Remediation/Fixes

Upgrade to IBM Watson Discovery 4.6.5

<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install&gt;

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.059 Low

EPSS

Percentile

93.3%