Security Bulletin: API Connect Developer Portal is affected by multiple PHP vulnerabilities

Summary

IBM API Connect has addressed the following vulnerabilities.

Several security issues were fixed in PHP’s HTML-embedded scripting language interpreter.

Vulnerability Details

CVEID: CVE-2018-10549 DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read in exif_read_data in ext/exif/exif.c. By sending specially crafted data, an attacker could exploit this vulnerability to mishandle the case of a MakerNote that lacks a final ‘’\0’’ character and execute arbitrary code on the system and cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142564&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-10548 DESCRIPTION: PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in ext/ldap/ldap.c. By sending specially crafted data, an attacker could exploit this vulnerability to mishandle the ldap_get_dn return value and cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142565&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-10547 DESCRIPTION: PHP is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the ext/phar/phar_object.c. A remote attacker could exploit this vulnerability using request data of a request for a .phar file to execute script in a victim’'s Web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142566&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-10546 DESCRIPTION: PHP is vulnerable to a denial of service, caused by the failure to reject invalid multibyte sequences by the iconv stream filter in ext/iconv/iconv.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142567&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-10545 DESCRIPTION: PHP could allow a remote attacker to obtain sensitive information, caused by the bypassing of opcache access controls by dumpable FPM child processes. An attacker could exploit this vulnerability to obtain sensitive information from the process memory of a second user’s PHP applications.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142568&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM API Connect version 5.0.0.0-5.0.8.3

Remediation/Fixes

Addressed in IBM API Connect Developer Portal V5.0.8.3 iFix.

Follow this link and find the “APIConnect-Portal” package dated on or after 13 June 2018.

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7…

Workarounds and Mitigations

None