IBM21296A1602C0D5B7A8902E9CEE0BCD2BA3C72A1522B497BC3B3D243E49DD8F01Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Open Source vulnerabilities
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the reported open source vulnerabilities.
Vulnerability Details
CVEID:CVE-2019-3863
**DESCRIPTION:**A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158347 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-3857
**DESCRIPTION:**An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158341 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-3856
**DESCRIPTION:**An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158340 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-3855
**DESCRIPTION:**An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
WebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0
WebSphere Cast Iron v 7.0.0.0, 7.0.0.1, 7.0.0.2
App Connect Professional v 7.5.2.0
App Connect Professional v 7.5.3.0
Remediation/Fixes
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| IBM Cast Iron | 7.0.0.0 | |
| 7.0.0.1 | ||
| 7.0.0.2 | 7002 Fixcentral Link | |
| IBM Cast Iron | 7.5.0.0 | |
| 7.5.0.1 | ||
| 7.5.1.0 | 7510 fixcentral Link | |
| App Connect Professional | 7.5.2.0 | 7520 Fixcentral link |
| App Connect Professional | 7.5.3.0 | 7530 Fixcentral link |
Workarounds and Mitigations
None
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C