IBM47AC8E33365C040A01C5CD6B775EE90932188BE66F1604397C6FBA4BF247B44BSecurity Bulletin: Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
77.2%
Summary
APM WebSphere Application Server Agent, APM SAP NetWeaver Agent and APM WebLogic Agent is vulnerable to Apache Thrift (libthrift-0.12.0.jar ) CVE-2019-0205. The fix for WebSphere Application Server Agent and SAP NetWeaver Agent includes libthrift-0.12.0.jar upgraded to libthrift-0.17.0.jar, and workaround for WebLogic Agent includes libthrift-0.12.0.jar upgraded to libthrift-0.18.1.jar
Vulnerability Details
CVEID:CVE-2019-0205
**DESCRIPTION:**Apache Thrift is vulnerable to a denial of service, caused by an error when processing untrusted Thrift payload. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| APM Agents for Monitoring | all |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading:
Product Remediation
|
Fix
—|—
APM on-premise
|
1. APM WebSphere Application Server Agent release 8.1.4.0.20 (WAS Agent version: 07.30.14.19)
2. APM SAP NetWeaver Agent release 8.1.4.0.20 (SAP NetWeaver Agent version: 08.23.05.00)
Download the APM Agents installer from Passport Advantage. Please refer below link for download instructions:
<https://www.ibm.com/docs/en/capmp/8.1.4?topic=advantage-part-numbers>
Workarounds and Mitigations
For APM WebLogic Agent, this vulnerability is not fixed in APM 814020 release. Please follow below steps as a workaround:
libthrift-0.12.0.jar must be upgraded from Maven Repository: Search/Browse/Explore (mvnrepository.com)
Procedure:
Step 1: Stop the agent and replace libthrift-0.12.0.jar with it’s latest version libthrift-0.18.1.jar.
Windows:
i. Navigate to the directory $CANDLEHOMEC\TMAITM6_x64<dchome><version>\ttdc\lib\ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of libthrift-0.12.0.jar and replace it with the latest version ie. libthrift-0.18.1.jar.
Linux:
i.Navigate to the directory $CANDLEHOMEC/<dchome>/<version>/ttdc/lib/ext
where <dchome> would be wbdchome and <version> would be 8.1.4.0.0 for WebLogic Agent.
ii. Take a backup of libthrift-0.12.0.jar and replace it with the latest version ie. libthrift-0.18.1.jar.
Step 2 : Restart the agent.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm application performance management | eq | 8.1.4 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
77.2%