7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
77.2%
APM WebSphere Application Server Agent, APM SAP NetWeaver Agent and APM WebLogic Agent is vulnerable to Apache Thrift (libthrift-0.12.0.jar ) CVE-2019-0205. The fix for WebSphere Application Server Agent and SAP NetWeaver Agent includes libthrift-0.12.0.jar upgraded to libthrift-0.17.0.jar, and workaround for WebLogic Agent includes libthrift-0.12.0.jar upgraded to libthrift-0.18.1.jar
CVEID:CVE-2019-0205
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by an error when processing untrusted Thrift payload. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
APM Agents for Monitoring | all |
IBM strongly recommends addressing the vulnerability now by upgrading:
Product Remediation
|
Fix
—|—
APM on-premise
|
1. APM WebSphere Application Server Agent release 8.1.4.0.20 (WAS Agent version: 07.30.14.19)
2. APM SAP NetWeaver Agent release 8.1.4.0.20 (SAP NetWeaver Agent version: 08.23.05.00)
Download the APM Agents installer from Passport Advantage. Please refer below link for download instructions:
<https://www.ibm.com/docs/en/capmp/8.1.4?topic=advantage-part-numbers>
For APM WebLogic Agent, this vulnerability is not fixed in APM 814020 release. Please follow below steps as a workaround:
libthrift-0.12.0.jar must be upgraded from Maven Repository: Search/Browse/Explore (mvnrepository.com)
Procedure:
Step 1: Stop the agent and replace libthrift-0.12.0.jar with it’s latest version libthrift-0.18.1.jar.
Windows:
i. Navigate to the directory $CANDLEHOMEC\TMAITM6_x64<dchome><version>\ttdc\lib\ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of libthrift-0.12.0.jar and replace it with the latest version ie. libthrift-0.18.1.jar.
Linux:
i.Navigate to the directory $CANDLEHOMEC/<dchome>/<version>/ttdc/lib/ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of libthrift-0.12.0.jar and replace it with the latest version ie. libthrift-0.18.1.jar.
Step 2 : Restart the agent.
CPE | Name | Operator | Version |
---|---|---|---|
ibm application performance management | eq | 8.1.4 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
77.2%