Lucene search

K
ibmIBM4E01B8703DEFC0F837C60458BEF44AF294D920EF42490E4AA0C9189DE36F896B
HistoryMar 29, 2019 - 11:00 a.m.

Security Bulletin: IBM Event Streams is affected by Go vulnerabilities

2019-03-2911:00:02
www.ibm.com
13
ibm event streams
go vulnerabilities
upgrade 2019.1.1

EPSS

0.017

Percentile

88.1%

Summary

IBM Event Streams has addressed the following vulnerabilities in the Go Runtimes shipped.

Vulnerability Details

CVE-ID: CVE-2019-6486
Description: Golang Go is vulnerable to a denial of service, caused by mishandling P-521 and P-384 elliptic curves. By using specially-crafted inputs, a local attacker could exploit this vulnerability to consume all available CPU resources.
CVSS Base Score: 6.2
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/156156&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2018-16875
DESCRIPTION: Go Programming Language is vulnerable to a denial of service, caused by the failure to limit the amount of work performed for each chain verification. By sending specially-crafted pathological inputs, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154318&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Event Streams 2018.3.0

IBM Event Streams 2018.3.1

Remediation/Fixes

Upgrade to IBM Event Streams 2019.1.1 which is available from Passport Advantage.