Lucene search

K
ibmIBM57B9CF39C18FB4A06D2E917933FA8D5E3C4A18F982A4708050D5715BD40B9C19
HistoryNov 12, 2018 - 3:50 a.m.

Security Bulletin: IBM Network Performance Insight (CVE-2018-11771)

2018-11-1203:50:01
www.ibm.com
8

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

Summary

Apache Commons Compress is vulnerable to a denial of service, caused by the failure to return the correct EOF indication after the end of the stream has been reached by the ZipArchiveInputStream method. By reading a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. IBM Network Performance Insight has addressed this.

Vulnerability Details

CVEID: CVE-2018-11771 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by the failure to return the correct EOF indication after the end of the stream has been reached by the ZipArchiveInputStream method. By reading a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Network Performance Insight: 1.2.1, 1.2.2, 1.2.3.

Remediation/Fixes

1.2.1.0-TIV-NPI-IF0002

Fix Central link: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.2.1.0-TIV-NPI-IF0002&source=SAR

1.2.1.1-TIV-NPI-IF0003

Fix Central link: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.2.1.1-TIV-NPI-IF0003&source=SAR

1.2.2.0-TIV-NPI-IF0005

Fix Central link: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.2.2.0-TIV-NPI-IF0005&source=SAR

1.2.3.0-TIV-NPI-IF0003

Fix Central link: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FNetwork+Performance+Insight&fixids=1.2.3.0-TIV-NPI-IF0003&source=SAR

Workarounds and Mitigations

None

CPENameOperatorVersion
netcool operations insighteqany

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

Related for 57B9CF39C18FB4A06D2E917933FA8D5E3C4A18F982A4708050D5715BD40B9C19