Security Bulletin: Vulnerabilities in Netty affect watsonx.data

Summary

Netty is vulnerable to denial of service attacks and remote attack via restrictions bypass. These can affect watsonx.data.

Vulnerability Details

CVEID:CVE-2015-2156
**DESCRIPTION:**Netty could allow a remote attacker to bypass restrictions, caused by the improper validation of characters in a cookie name by the cookie parsing code. An attacker could exploit this vulnerability to bypass the HttpOnly flag in all Play applications and gain access to the system.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/103239 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N)

CVEID:CVE-2014-0193
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by an error in the WebSocket08FrameDecoder implementation. A remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/93006 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2019-9518
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a Empty Frame Flooding attack. By sending a stream of frames with an empty payload and without the end-of-stream flag, a remote attacker could consume excessive CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The product needs to be installed or upgraded to the latest available level watsonx.data 2.0.2 or watsonx.data on CPD 5.0.2. Installation/upgrade instructions can be found here: <https://www.ibm.com/docs/en/watsonx/watsonxdata/2.0.x?topic=deployment-installing&gt;

Workarounds and Mitigations

None