Lucene search

K
ibmIBM0C49DC7FF9688CB3C8974272755591BF1B851989940E674D2850C0DB0FAA67A4
HistoryMar 01, 2019 - 12:05 a.m.

Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java (Feb 2019, updated)

2019-03-0100:05:02
www.ibm.com
26

EPSS

0.005

Percentile

77.2%

Summary

Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java. These vulnerabilities have been addressed in the latest SDK Java releases.

Vulnerability Details

CVE-ID: CVE-2018-19362
Description: An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/155093&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2018-19361
Description: An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/155092&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2018-19360
Description: An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/155091&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2018-1000873
Description: FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/154804&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

CVE-ID Affected SDK Releases
CVE-2018-19362 IBM COS SDK Java releases prior to 2.4.2
CVE-2018-19361 IBM COS SDK Java releases prior to 2.4.2
CVE-2018-19360 IBM COS SDK Java releases prior to 2.4.2
CVE-2018-1000873 IBM COS SDK Java releases prior to 2.4.2

Remediation/Fixes

IBM COS SDK Releases Link to Fix / Fix Availability Target
SDK Java 2.4.2

https://github.com/IBM/ibm-cos-sdk-java/tree/2.4.2

EPSS

0.005

Percentile

77.2%