Lucene search

K
ibmIBM587BC83CA2D3D19A3695008606E3756500B7215305ED8B225B5B516F672A7C1D
HistoryDec 10, 2018 - 3:35 p.m.

Security Bulletin: Potential MITM attack in Apache CXF used by IBM® WebSphere™ Application Server Liberty affects IBM® SPSS Analytic Server (CVE-2018-8039)

2018-12-1015:35:01
www.ibm.com
6

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Summary

There is a potential man-in-the-middle attack in Apache CXF used by IBM WebSphere Application Server Liberty that affects SPSS Analytic Server.

Vulnerability Details

CVEID: CVE-2018-8039 DESCRIPTION: Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.

CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145516&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM SPSS Analytic Server 2.0.0.0
IBM SPSS Analytic Server 2.1.0.0
IBM SPSS Analytic Server 3.0.0.0
IBM SPSS Analytic Server 3.1.0.0

Remediation/Fixes

Affected IBM SPSS Analytic Server users need to update their IBM WebSphere Application Server instances. Please refer to the following security bulletin for a list of the IBM WebSphere Application Server fix packs that the fix is delivered in and for links to the interim fixes: <https://www-01.ibm.com/support/docview.wss?uid=ibm10720065&gt;

Workarounds and Mitigations

None

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Related for 587BC83CA2D3D19A3695008606E3756500B7215305ED8B225B5B516F672A7C1D