IBM104E5358C09C4A12262672713C06CC3321584D57C3884021EB6B32EED2C9E8BCSecurity Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable to Denial of Service (CVE-2019-4720)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
This security bulletin addresses the Denial of Service (DOS) vulnerability that has been found to impact Websphere Liberty in IBM Tivoli Application Dependency Discovery Manager.
Vulnerability Details
CVEID:CVE-2019-4720
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172125 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Tivoli Application Dependency Discovery Manager | 7.3.0 (7.3.0.3 - 7.3.0.7) |
Remediation/Fixes
Directions for interim efix application:
- For TADDM 7.3.0.5 and 7.3.0.6 environment:
Check the websphere version installed using any of the below three commands:
- $COLLATION_HOME/external/wlp/bin/server version
- $COLLATION_HOME/external/wlp/bin/productInfo version
- cd $COLLATION_HOME/external/wlp; cat README.TXT |head -1
- If Websphere version output is โ8.5.5.8โ, then please first apply the efix of WebSphere 20.0.0.1 which was released earlier and can be found at below link:
https://www.ibm.com/support/pages/node/5693217
Then proceed to apply the below interim efix efix_WLP_20001_InterimFix_FP7200218.zip of websphere.
-
If Websphere version output above is โ20.0.0.1โ then apply the interim efix efix_WLP_20001_InterimFix_FP7200218.zip directly.
-
For TADDM 7.3.0.7 environment:
The websphere version has been upgraded to 20.0.0.1 in 7.3.0.7 but as a precautionary measure, please check the version before application of any fixes. With version 20.0.0.1, the interim fix efix_WLP_20001_InterimFix_FP7200218.zip can be applied directly.
The interim efix details are as follows:
| Fix | VRMF | APAR | How to acquire fix |
|---|
efix_WLP_20001_InterimFix_FP7200218.zip
| 7.3.0.5 - 7.3.0.7 | None | Download eFix
Note: Before TADDM 7.3.0.5, Java 7 was used and the upgraded Liberty version 20.0.0.1 requires Java8. Hence, no eFix can be provided for versions before 7.3.0.5.
Workarounds and Mitigations
For customers on TADDM FixPack 3 or FixPack 4, recommendation is to upgrade to a later version and then follow the steps mentioned above.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P