6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
There is a denial of service in the Apache CXF library used by WebSphere Application Server. This has been addressed.
CVEID:CVE-2019-12406
**DESCRIPTION:**Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property โattachment-max-countโ.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
WebSphere Application Server Liberty | 17.0.0.3 - 20.0.0.1 |
WebSphere Application Server | 9.0 |
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PH19989 for each named product as soon as practical.
For Liberty 17.0.0.3-20.0.0.1 using jaxrs-2.0 or jaxrs-2.1 or jaxws-2.2 features:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH19989
--ORโ
ยท Apply Liberty Fix Pack 20.0.0.2 or later (targeted availability 1Q2020).
For WebSphere Application Server and WebSphere Application Server Hypervisor Edition:
For V9.0.0.0 through 9.0.5.2:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH19989
--ORโ
ยท Apply Fix Pack 9.0.5.3 or later (targeted availability 1Q2020).
Additional interim fixes may be available and linked off the interim fix download page.
None
CPE | Name | Operator | Version |
---|---|---|---|
websphere application server | eq | 9.0 |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P