Lucene search

K
ibmIBM211CD9F1ACF38809CC4473AEB8D5CFC5AEDD6F6E475C5EC5DC18B3B624F8BF48
HistoryApr 07, 2020 - 1:33 p.m.

Security Bulletin: A vulnerability in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2019-19925, CVE-2019-19645, CVE-2019-19924, CVE-2019-19923, CVE-2019-19880, CVE-2019-19646, CVE-2019-19926)

2020-04-0713:33:23
www.ibm.com
19
sqlite
ibm cloud
application performance management
response time monitoring agent
denial of service
vulnerability
null pathname
mishandling
zipfileupdate function
infinite recursion flaw
alter.c
self-referential views
create table
create view statements
parser-tree rewriting
sqlite3windowrewrite function
lattensubquery function
invalid pointer dereference

EPSS

0.014

Percentile

86.4%

Summary

SQLite is vulnerable to a denial of service.

Vulnerability Details

CVEID:CVE-2019-19925
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by the mishandling of a NULL pathname in the zipfileUpdate function in ext/misc/zipfile.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173496 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-19645
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by an infinite recursion flaw in alter.c. By sending a specially-crafted request using certain types of self-referential views in conjunction with ALTER TABLE statements, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172774 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-19603
**DESCRIPTION:**An error during handling of CREATE TABLE and CREATE VIEW statements in SQLite has an unknown impact via a specially crafted table name.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172765 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-19924
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by the mishandling of certain parser-tree rewriting in the sqlite3WindowRewrite function in expr.c, vdbeaux.c, and window.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173495 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-19923
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the lattenSubquery function in select.c. By sending a specially-crafted request with the use of SELECT DISTINCT involving a LEFT JOIN, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173490 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-19880
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by an invalid pointer dereference in exprListAppendList in window.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173387 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-19646
**DESCRIPTION:**An unspecified error related to the mishandling of NOT NULL in an integrity_check PRAGMA command in pragma.c in SQLite has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-19926
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by the mishandling of certain errors during parsing in the multiSelect function in select.c. By sending specially-crafted sqlite3WindowRewrite() calls, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173497 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Application Performance Management - Response Time Monitoring Agent 8.1.4
IBM Performance Management - Response Time Monitoring Agent 8.1.3
IBM Tivoli Composite Application Manager for Transactions (Response Time) 7.4.0.1
IBM Tivoli Composite Application Manager for Transactions (Response Time) 7.4.0.2

Remediation/Fixes

Product Product Version APAR Remediation / First Fix
IBM Cloud Application Performance Management - Response Time Monitoring Agent 8.1.4 If you use the Response Time Monitoring Agent, the vulnerabilities can be remediated by applying the Response Time Monitoring Agent 8.1.4.0-IBM-APM-RT-AGENT-IF0009 patch to all systems where this agent is installed:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Application+Performance+Management+Advanced&fixids=8.1.4.0-IBM-APM-RT-AGENT-IF0009&source=SAR
IBM Performance Management - Response Time Monitoring Agent 8.1.3 If you use the Response Time Monitoring Agent, the vulnerabilities can be remediated by applying the Response Time Monitoring Agent 8.1.3.0-IBM-IPM-RT-AGENT-IF0008 patch to all systems where this agent is installed:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Application+Performance+Management+Advanced&fixids=8.1.3.0-IBM-IPM-RT-AGENT-IF0008&source=SAR
IBM Tivoli Composite Application Manager for Transactions (Response Time) 7.4.0.1 7.4.0.1-TIV-CAMRT-IF0043
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Composite+Application+Manager+for+Transactions&fixids=7.4.0.1-TIV-CAMRT-IF0043&source=SAR
IBM Tivoli Composite Application Manager for Transactions (Response Time) 7.4.0.2 7.4.0.2-TIV-CAMRT-IF0010
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Composite+Application+Manager+for+Transactions&fixids=7.4.0.2-TIV-CAMRT-IF0010&source=SAR

Workarounds and Mitigations

None