Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-12406)

Summary

There is a denial of service in the Apache CXF library used by WebSphere Application Server. This has been addressed.

Vulnerability Details

CVEID:CVE-2019-12406
**DESCRIPTION:**Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property “attachment-max-count”.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PH19989 for each named product as soon as practical.

For Liberty 17.0.0.3-20.0.0.1 using jaxrs-2.0 or jaxrs-2.1 or jaxws-2.2 features:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH19989
--OR–
· Apply Liberty Fix Pack 20.0.0.2 or later (targeted availability 1Q2020).

For WebSphere Application Server and WebSphere Application Server Hypervisor Edition:

For V9.0.0.0 through 9.0.5.2:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH19989
--OR–
· Apply Fix Pack 9.0.5.3 or later (targeted availability 1Q2020).

Additional interim fixes may be available and linked off the interim fix download page.

Workarounds and Mitigations

None