Lucene search

IBM391D51B05B4BF6F125460B450D4898020BFE671CD521DB1F64A64804B7336499

HistoryFeb 01, 2023 - 9:34 p.m.

Security Bulletin: IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545

2023-02-0121:34:35

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.057 Low

EPSS

Percentile

93.3%

JSON

Summary

Eclipse Jetty is used by IBM Process Mining. CVE-2018-12545

Vulnerability Details

CVEID:CVE-2018-12545
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161491 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining	1.12.0.3

Remediation/Fixes

Remediation/Fixes guidance:

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining	1.12.0.3

Upgrade to version 1.12.0.4

1.Login to PassPortAdvantage

2. Search for
M05JKML Process Mining 1.12.0.4 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M05JJML Process Mining 1.12.0.4 Client Windows Multilingual

| |

Workarounds and Mitigations

None known

CPENameOperatorVersion
ibm cloud pak for automationeq1.12.0.3
ibm cloud pak for automationeq1.12.0.3

CPE	Name	Operator	Version
	ibm cloud pak for automation	eq	1.12.0.3
	ibm cloud pak for automation	eq	1.12.0.3

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.057 Low

EPSS

Percentile

93.3%

JSON

Related for 391D51B05B4BF6F125460B450D4898020BFE671CD521DB1F64A64804B7336499