Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1684DEC3DF3BB9E78C84E76D9D7057965A40ADC07F69C113F4E928D34BF0D671
HistoryOct 07, 2020 - 8:49 p.m.

Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

2020-10-0720:49:35
www.ibm.com
9

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.

Vulnerability Details

CVEID:CVE-2018-12545
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161491 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2017-9735
**DESCRIPTION:**Jetty could allow a remote attacker to obtain sensitive information, caused by a timing channel flaw in util/security/Password.java. By observing elapsed times before rejection of incorrect passwords, an attacker could exploit this vulnerability to obtain access information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/127842 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2017-7658
**DESCRIPTION:**Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2017-7657
**DESCRIPTION:**Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145521 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2017-7656
**DESCRIPTION:**Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw in the HTTP/1.x Parser. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145520 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-10241
**DESCRIPTION:**Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-10247
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160610 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2018-12536
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL request to the java.nio.file.InvalidPathException function using an invalid parameter to cause an error message to be returned containing the full installation path. An attacker could use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145523 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-0222
**DESCRIPTION:**Apache ActiveMQ is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted MQTT frame, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158686 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-1941
**DESCRIPTION:**Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the admin GUI. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181957 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-8006
**DESCRIPTION:**Apache ActiveMQ is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the queues.jsp file. A remote attacker could exploit this vulnerability using the QueueFilter parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148808 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2018-11775
**DESCRIPTION:**Apache ActiveMQ Client could allow a remote attacker to conduct a man-in-the-middle attack, caused by a missing TLS hostname verification. An attacker could exploit this vulnerability to launch a man-in-the-middle attack between a Java application using the ActiveMQ client and the ActiveMQ server.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/149705 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2017-15709
**DESCRIPTION:**Apache ActiveMQ could allow a remote attacker to obtain sensitive information, caused by the storing of certain system details in plaintext when using the OpenWire protocol. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/139028 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2015-7559
**DESCRIPTION:**Apache ActiveMQ client is vulnerable to a denial of service, caused by a remote shutdown command in the ActiveMQConnection class. By sending a specific command, a remote authenticated attacker could exploit this vulnerability to cause the application to stop responding.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170664 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-12423
**DESCRIPTION:**Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when ships with OpenId Connect JWK Keys service. By accessing the JWK keystore file, an attacker could exploit this vulnerability to obtain the public keys in JWK format, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174688 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-17573
**DESCRIPTION:**Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-12419
**DESCRIPTION:**Apache CXF could allow a remote attacker to bypass security restrictions, caused by the failure to validate that the authenticated principal is equal to that of the supplied clientId parameter in the request by the OpenId Connect token service. By obtaining the authorization code issued to another client, an attacker could exploit this vulnerability to obtain an access token for the other client.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170975 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2020-1954
**DESCRIPTION:**Apache CXF is vulnerable to a man-in-the-middle attack, caused by a flaw in JMX Integration. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-12406
**DESCRIPTION:**Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM QRadar SIEM 7.4.0 - 7.4.1 GA

IBM QRadar SIEM 7.3.0 - 7.3.3 Patch 4

Remediation/Fixes

QRadar / QRM / QVM / QRIF / QNI 7.4.1 Patch 1

QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 5

Workarounds and Mitigations

None

Related

ibm 49
fedora 8
openvas 23
nessus 16
debian 6
osv 22
f5 3
debiancve 7
ubuntucve 7
github 10
veracode 9
cve 11
prion 11
checkpoint_advisories 2
redhatcve 10
nuclei 1
threatpost 1
atlassian 1
redhat 1
mageia 1
ibm
ibm
Security Bulletin: IBM Security Guardium Insights is affected by a Components with known vulnerabilities
2021-10-06 12:30:35
Security Bulletin: Tivoli Netcool/Omnibus installation contains vulnerable Eclipse Jetty code libraries (Multiple CVEs)
2022-07-07 17:38:21
Security Bulletin: Vulnerabilities in Eclipse Jetty affect the IBM InfoSphere Information Server installers
2018-10-16 20:00:01
fedora
fedora
[SECURITY] Fedora 28 Update: jetty-9.4.11-2.v20180605.fc28
2018-07-12 14:21:30
[SECURITY] Fedora 27 Update: jetty-9.4.11-2.v20180605.fc27
2018-07-12 13:47:39
[SECURITY] Fedora 28 Update: jetty-9.4.11-3.v20180605.fc28
2019-05-03 01:36:11
openvas
openvas
Fedora Update for jetty FEDORA-2018-48b73ed393
2018-07-15 00:00:00
Debian: Security Advisory (DLA-2661-1)
2021-05-15 00:00:00
Debian: Security Advisory (DSA-4278-1)
2018-08-18 00:00:00
nessus
nessus
Fedora 28 : jetty (2018-48b73ed393)
2019-01-03 00:00:00
Debian DLA-2661-1 : jetty9 security update
2021-05-17 00:00:00
Fedora 27 : jetty (2018-93a507fd0f)
2018-07-13 00:00:00
debian
debian
[SECURITY] [DLA 2661-1] jetty9 security update
2021-05-14 13:28:53
[SECURITY] [DSA 4278-1] jetty9 security update
2018-08-19 21:21:38
[SECURITY] [DLA 2583-1] activemq security update
2021-03-05 17:05:48
osv
osv
jetty9 - security update
2021-05-14 00:00:00
jetty9 - security update
2018-08-19 00:00:00
activemq - security update
2021-03-05 00:00:00
f5
f5
K10002140 : Eclipse Jetty vulnerabilities CVE-2017-7657 and CVE-2017-7658
2022-04-05 00:00:00
K01869532 : Eclipse Jetty vulnerability CVE-2019-10241
2020-12-14 00:00:00
K33548065 : Eclipse Jetty vulnerability CVE-2018-12536
2022-03-28 00:00:00
debiancve
debiancve
CVE-2015-7559
2019-08-01 14:15:00
CVE-2018-12545
2019-03-27 20:29:00
CVE-2017-15709
2018-02-13 20:29:00
ubuntucve
ubuntucve
CVE-2015-7559
2019-08-01 00:00:00
CVE-2017-15709
2018-02-13 00:00:00
CVE-2018-12545
2019-03-27 00:00:00
github
github
ActiveMQ's OpenWire protocol exposes certain system details as plain text
2022-05-13 01:11:29
Improper Input Validation and Missing Authentication for Critical Function in Apache ActiveMQ
2019-08-01 19:17:45
Apache ActiveMQ web console vulnerable to Cross-site Scripting
2018-10-30 20:48:58
veracode
veracode
Denial Of Service (DoS)
2019-07-08 08:31:17
Denial Of Service (DoS)
2017-04-25 09:17:17
Information Disclosure
2018-06-26 16:29:06
cve
cve
CVE-2015-7559
2019-08-01 14:15:00
CVE-2018-12545
2019-03-27 20:29:00
CVE-2019-12423
2020-01-16 18:15:00
prion
prion
Design/Logic Flaw
2018-02-13 20:29:00
Command injection
2019-08-01 14:15:00
Cross site scripting
2020-01-16 18:15:00
checkpoint_advisories
checkpoint_advisories
Eclipse Jetty Denial-of-service (CVE-2018-12545)
2019-11-25 00:00:00
Apache ActiveMQ QueueFilter Cross-Site Scripting (CVE-2018-8006)
2018-08-23 00:00:00
redhatcve
redhatcve
CVE-2018-12545
2019-04-04 06:20:00
CVE-2017-15709
2018-02-22 16:18:52
CVE-2015-7559
2017-04-19 15:18:22
nuclei
nuclei
Apache ActiveMQ <=5.15.5 - Cross-Site Scripting
2021-01-09 14:45:11
threatpost
threatpost
Cross-Site Scripting Flaw in Apache ActiveMQ Threatens Web Visitors
2018-08-24 15:25:01
atlassian
atlassian
Info Disclosure org.eclipse.jetty:jetty-util in Jira Software Data Center and Server
2023-09-26 16:16:57
redhat
redhat
(RHSA-2020:0824) Moderate: Open Liberty 20.0.0.3 Runtime security update
2020-03-16 15:56:42
mageia
mageia
Updated jetty packages fix security vulnerability
2017-08-18 20:06:49

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for 1684DEC3DF3BB9E78C84E76D9D7057965A40ADC07F69C113F4E928D34BF0D671
ibm49fedora8openvas23nessus16debian6osv22f53debiancve7ubuntucve7github10veracode9cve11prion11checkpoint_advisories2redhatcve10nuclei1threatpost1atlassian1redhat1mageia1