Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in busybox, arpwatch, apr, acpid, augeas, firefox, ctdb.

Summary

WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in busybox, arpwatch, apr, acpid, augeas, firefox, ctdb. These vulnerabilities are addressed in App connect professional v7.5.4.0 and v7.5.5.0, customer can migrate to these versions without incurring any additional cost.

Vulnerability Details

CVEID:CVE-2019-11691
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when working with XMLHttpRequest (XHR) in an event loop. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161343 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11692
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when listeners are removed from the event listener manager while still in use. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11693
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a buffer overflow in the bufferdata function in WebGL. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161345 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11711
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a script injection within domain through inner window reuse. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163503 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-11730
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a same-origin policy that treats all files in a directory as having the same-origin. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to read attachments the victim received from other correspondents.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163515 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-11698
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using drag and dropt to steal user history data.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-9820
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in the chrome event handler. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161341 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11715
**DESCRIPTION:**Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input while parsing page content. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-9800
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161357 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-11712
**DESCRIPTION:**Mozilla Firefox is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by NPAPI plugins. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to bypass CORS requirements. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163504 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-11713
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in HTTP/2 when a cached HTTP/2 stream is closed while still in use. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163505 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11717
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the improper escaping of caret character in origins. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof origin attributes.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163510 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2014-4607
**DESCRIPTION:**Oberhumer LZO could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the lzo1x_decompress_safe() function when processing zero bytes. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/94014 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID:CVE-2012-2653
**DESCRIPTION:**arpwatch could allow a local attacker to bypass security restrictions, caused by a failure to drop supplementary groups.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/76536 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N)

CVEID:CVE-2019-5798
**DESCRIPTION:**Google Chrome could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in Skia. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-9797
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a cross-origin theft of images with createImageBitmap. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass same-origin policy and obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-9811
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error using the installation of a malicious language pack. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to escape the sandbox.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163502 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-11707
**DESCRIPTION:**Mozilla Firefox and Firefox ESR are vulnerable to a denial of service, caused by a type confusion when manipulating JavaScript objects due to issues in Array.pop. By persuading a victim to open a specially-crafted Web page, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162711 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11708
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using the Prompt:Open IPC message to open arbitrary content from a sandboxed child process to the non-sandboxed parent.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162774 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-9817
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using canvas to steal image data from a different site.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-9816
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion when manipulating JavaScript objects in object groups. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161338 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-9819
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a JavaScript compartment mismatch can while working with the fetch API. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161340 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11709
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2017-7555
**DESCRIPTION:**Augeas is vulnerable to a heap-based buffer overflow. By sending specially crafted strings, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/130659 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-18511
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a cross-origin theft of images with ImageBitmapRenderingContext. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using the transferFromImageBitmap method to bypass same-origin policy and obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156941 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

WebSphere Cast Iron v7.5.1.0

App Connect Professional v7.5.2.0

App Connect Professional v7.5.3.0

App Connect Professional v7.5.3.0

Remediation/Fixes

Workarounds and Mitigations

None