Security Bulletin: IBM Application Performance Management could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names (CVE-2019-4131)

Summary

IBM Application Performance Management could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names.

Vulnerability Details

CVEID: CVE-2019-4131 DESCRIPTION: IBM Application Performance Management could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158270&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Cloud Application Performance Management, Base Private 8.1.4
IBM Cloud Application Performance Management, Advanced Private 8.1.4

Remediation/Fixes

IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private

| 8.1.4 |

The vulnerabilities can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0008 or later server patch to the system where the Cloud APM server is installed: https://www.ibm.com/support/docview.wss?uid=ibm10874776

The 8.1.4.0-IBM-APM-SERVER-IF0008 or later server interim fix prevents the DNS lookups for requests to the apmui, oidc, and uviews services of the Cloud APM server. To prevent server-side DNS lookups from occurring on requests to the Cloud APM server min and server1 services, follow the instructions in the the following Cloud APM Knowledge Center topics:

<https://www.ibm.com/support/knowledgecenter/SSHLNR_8.1.4/com.ibm.pm.doc/install/config_server_virtualhosts.htm&gt;
<https://www.ibm.com/support/knowledgecenter/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_server_virtualhosts.htm&gt;

Workarounds and Mitigations

None