Lucene search

K
ibmIBM5EECFC5C8DC24CAFE9B7AB5FC12D78B14281213BEAB82B828C710EEE945957CC
HistoryJul 24, 2020 - 5:07 p.m.

Security Bulletin: Multiple Security Vulnerabilities in Jetty Affect IBM Sterling B2B Integrator (CVE-2018-12545, CVE-2019-10241)

2020-07-2417:07:55
www.ibm.com
18

EPSS

0.057

Percentile

93.4%

Summary

IBM Sterilng B2B Integrator has addressed multiple security vulnerabilities in Jetty.

Vulnerability Details

CVEID:CVE-2018-12545
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161491 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-10241
**DESCRIPTION:**Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling B2B Integrator 5.2.0.0 - 5.2.6.5_1
IBM Sterling B2B Integrator 6.0.0.0 - 6.0.3.1

Remediation/Fixes

Product & Version ** Remediation & Fix**
5.2.0.0 - 5.2.6.5_1 Apply IBM Sterling B2B Integrator version 5.2.6.5_2 or 6.0.3.2 on Fix Central
6.0.0.0 - 6.0.3.1 Apply IBM Sterling B2B Integrator version 6.0.3.2 on Fix Central

Workarounds and Mitigations

None