7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
This security bulletin addresses the Denial of Service (DOS) vulnerability that has been found to impact Websphere Liberty in IBM Tivoli Application Dependency Discovery Manager.
CVEID:CVE-2019-4720
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172125 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0 (7.3.0.3 - 7.3.0.7) |
Directions for interim efix application:
Check the websphere version installed using any of the below three commands:
https://www.ibm.com/support/pages/node/5693217
Then proceed to apply the below interim efix efix_WLP_20001_InterimFix_FP7200218.zip of websphere.
If Websphere version output above is โ20.0.0.1โ then apply the interim efix efix_WLP_20001_InterimFix_FP7200218.zip directly.
For TADDM 7.3.0.7 environment:
The websphere version has been upgraded to 20.0.0.1 in 7.3.0.7 but as a precautionary measure, please check the version before application of any fixes. With version 20.0.0.1, the interim fix efix_WLP_20001_InterimFix_FP7200218.zip can be applied directly.
The interim efix details are as follows:
Fix | VRMF | APAR | How to acquire fix |
---|
efix_WLP_20001_InterimFix_FP7200218.zip
| 7.3.0.5 - 7.3.0.7 | None | Download eFix
Note: Before TADDM 7.3.0.5, Java 7 was used and the upgraded Liberty version 20.0.0.1 requires Java8. Hence, no eFix can be provided for versions before 7.3.0.5.
For customers on TADDM FixPack 3 or FixPack 4, recommendation is to upgrade to a later version and then follow the steps mentioned above.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P