Lucene search

K
ibmIBM4D8825EBD7E276A5C8E1F2A05B3BA99CF2E683B36F2976373A7F225793E4030E
HistoryOct 07, 2020 - 11:02 p.m.

Security Bulletin: IBM API Connect V10 is impacted by denial of service vulnerabilities in Crunchy kernel (CVE-2020-8616, CVE-2020-8617)

2020-10-0723:02:51
www.ibm.com
29
ibm api connect
denial of service
crunchy kernel
cve-2020-8616
cve-2020-8617
isc bind
vulnerabilities
management server

EPSS

0.972

Percentile

99.9%

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2020-8616
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by the failure to limit the number of fetches performed when processing referrals. By using specially crafted referrals, a remote attacker could exploit this vulnerability to cause the recursing server to issue a very large number of fetches in an attempt to process the referral.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

CVEID:CVE-2020-8617
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a logic error in code which checks TSIG validity. A remote attacker could exploit this vulnerability to trigger an assertion failure in tsig.c.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182127 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
API Connect API Connect 10.0.0.0

Remediation/Fixes

Affected Product Addressed in VRMF APAR Remediation/First Fix

IBM API Connect

10.0.0.0

|

IBM API Connect

V10.0.1

| LI81761 |

Addressed in IBM API Connect V10.0.1

Management server is impacted.

Follow this link and find the “Management” image appropriate for your installation.
http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None