Lucene search

IBM1093CD885AA4F8CB34F1885DAA3875631704625EAA6EED3CF76B859F843CF106

HistoryDec 01, 2023 - 3:38 p.m.

Security Bulletin: Vulnerability in Apache Solr affect IBM Operations Analytics - Log Analysis (CVE-2018-18928)

2023-12-0115:38:10

www.ibm.com

apache solr

ibm operations analytics

log analysis

cve-2018-18928

integer overflow

icu

local attacker

application crash

upgrade

version 1.3.8

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.2%

JSON

Summary

Apache Solr is vulnerable to integer overflow. This has been addressed.

Vulnerability Details

CVEID:CVE-2018-18928
**DESCRIPTION:**International Components for Unicode (ICU) is vulnerable to a denial of service, caused by an integer overflow in the number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp. A local attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152568 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.5.3
Log Analysis	1.3.6.0
Log Analysis	1.3.6.1
Log Analysis	1.3.7.0
Log Analysis	1.3.7.1
Log Analysis	1.3.7.2

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1 and 1.3.7.2	Use Log Analysis version 1.3.8. You can download the release from Passport Advantage. Part number:
M0GJREN IBM Operations Analytics Log Analysis v1.3.8 Linux 64 bit
M0GJSEN IBM Operations Analytics Log Analysis v1.3.8 zLinux 64 bit
M0GJTEN IBM Operations Analytics Log Analysis v1.3.8 Power8 ppc64le

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsmartcloud_analytics_log_analysisMatch1.3.5.3

ibmsmartcloud_analytics_log_analysisMatch1.3.6.0

ibmsmartcloud_analytics_log_analysisMatch1.3.6.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.0

ibmsmartcloud_analytics_log_analysisMatch1.3.7.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.2

CPENameOperatorVersion
ibm operations analytics - log analysiseq1.3.5.3
ibm operations analytics - log analysiseq1.3.6.0
ibm operations analytics - log analysiseq1.3.6.1
ibm operations analytics - log analysiseq1.3.7.0
ibm operations analytics - log analysiseq1.3.7.1
ibm operations analytics - log analysiseq1.3.7.2

Name	Operator	Version
ibm operations analytics - log analysis	eq	1.3.5.3
ibm operations analytics - log analysis	eq	1.3.6.0
ibm operations analytics - log analysis	eq	1.3.6.1
ibm operations analytics - log analysis	eq	1.3.7.0
ibm operations analytics - log analysis	eq	1.3.7.1
ibm operations analytics - log analysis	eq	1.3.7.2