Lucene search

K
ibmIBM1E9CF6FDFBA489706238E6E37CCC826D29377A3819B88B687B8B88A40020AC3E
HistoryNov 03, 2022 - 8:43 a.m.

Security Bulletin: Vulnerability in Netty shipped with IBM Operations Analytics - Log Analysis (CVE-2019-20444)

2022-11-0308:43:33
www.ibm.com
26
netty
ibm operations analytics
log analysis
http request smuggling
vulnerability
upgrade
cve-2019-20444

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.9

Confidence

High

EPSS

0.009

Percentile

82.4%

Summary

Netty prior to version 4.1.44 is vulnerable to HTTP request smuggling.

Vulnerability Details

**CVEID:**CVE-2019-20444 DESCRIPTION: Netty is vulnerable to HTTP request smuggling, caused by a flaw in the HttpObjectDecoder.java. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175487 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.x

Remediation/Fixes

Version Fix details
IBM Operations Analytics - Log Analysis version 1.3.x Upgrade to Log Analysis version 1.3.7.2 Interim Fix 4. Download the 1.3.7.2-TIV-IOALA-IF004. For Log Analysis prior to 1.3.7.2, upgrade to 1.3.7-TIV-IOALA-FP2 before installing this fix.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsmartcloud_analytics_log_analysisMatch1.3.
VendorProductVersionCPE
ibmsmartcloud_analytics_log_analysis1.3.cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.:*:*:*:*:*:*:*

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.9

Confidence

High

EPSS

0.009

Percentile

82.4%