Lucene search

K
ibmIBM4F3266EA945DE8D8D2A40355E5B0F806639DB3718EB5A22B6BC31D1E5CD00CE7
HistoryApr 20, 2020 - 2:38 p.m.

Security Bulletin: A security vulnerability has been identified in the Apache POI, which is vulnerable to Denial of Service. (CVE-2017-12626, CVE-2017-5644)

2020-04-2014:38:51
www.ibm.com
13

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Summary

The Apache POI has security vulnerability to exploit the application through denial of service. Respective security vulnerabilities are discussed in detail in the subsequent sections.

Vulnerability Details

IBM Rational Asset Manager bundles Apache POI, which is used to set custom attributes of a document.

CVEID: CVE-2017-12626 DESCRIPTION: Apache POI is vulnerable to a denial of service, caused by an error while parsing malicious WMF, EMF, MSG and macros and specially crafted DOC, PPT and XLS. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or an out of memory exception. CVSS Base Score: 5.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/138361 for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-5644**
DESCRIPTION:*Apache POI is vulnerable to a denial of service, cause by an XML External Entity Injection (XXE) error when processing XML data. By using a specially-crafted OOXML file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123699 for the current score CVSS Environmental Score: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Rational Asset Manager 7.5.3.2 and earlier.

Remediation/Fixes

You must upgrade to the Rational Asset Manager 7.5.3.3 orDownload theiFix specified in the following table and apply it.

Version |

Fix
—|—

Rational Asset Manager 7.5.2.4 |

Rational Asset Manager 7.5.2.4 iFix Download.

NOTE: For support on other Rational Asset Manager versions, please contact IBM support.

Workarounds and Mitigations

None.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

Related for 4F3266EA945DE8D8D2A40355E5B0F806639DB3718EB5A22B6BC31D1E5CD00CE7