Lucene search

IBM6008DF13D5D81D35AC47B3C59AD229492AD65ECB2C2EDA6225BBC1909E5988A5

HistoryAug 01, 2024 - 9:17 p.m.

Security Bulletin: IBM Content Navigator is vulnerable to Denial of Service (DoS) due to Apache Commons Compress (CVE-2024-26308, CVE-2024-25710)

2024-08-0121:17:43

www.ibm.com

ibm content navigator

denial of service

apache commons compress

vulnerability

pack200

dump file

out of memory

infinite loop

cve-2024-26308

cve-2024-25710

fix

3.0.15

3.0.14

3.0.11

CVSS3

8.1

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

Confidence

High

JSON

Summary

Apache Commons Compress is used by IBM Content Navigator to work with archive files. CVE-2024-26308, CVE-2024-25710

Vulnerability Details

CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Content Navigator	3.0.15 IF002	Download 3.0.15 IF002 and follow instructions
IBM Content Navigator	3.0.14 IF005	Download 3.0.14 IF005 and follow instructions
IBM Content Navigator	3.0.11 IF016	Download 3.0.11 IF016 and follow instructions

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmcontent_navigatorMatch3.0.15

ibmcontent_navigatorMatch002

ibmcontent_navigatorMatch3.0.14

ibmcontent_navigatorMatch005

ibmcontent_navigatorMatch3.0.11

ibmcontent_navigatorMatch016

ibmcontent_navigatorMatch3.0.15

ibmcontent_navigatorMatch002

ibmcontent_navigatorMatch3.0.14

ibmcontent_navigatorMatch005

ibmcontent_navigatorMatch3.0.11

ibmcontent_navigatorMatch016

VendorProductVersionCPE
ibmcontent_navigator3.0.15cpe:2.3:a:ibm:content_navigator:3.0.15:*:*:*:*:*:*:*
ibmcontent_navigator002cpe:2.3:a:ibm:content_navigator:002:*:*:*:*:*:*:*
ibmcontent_navigator3.0.14cpe:2.3:a:ibm:content_navigator:3.0.14:*:*:*:*:*:*:*
ibmcontent_navigator005cpe:2.3:a:ibm:content_navigator:005:*:*:*:*:*:*:*
ibmcontent_navigator3.0.11cpe:2.3:a:ibm:content_navigator:3.0.11:*:*:*:*:*:*:*
ibmcontent_navigator016cpe:2.3:a:ibm:content_navigator:016:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	content_navigator	3.0.15	cpe:2.3:a:ibm:content_navigator:3.0.15:::::::*
ibm	content_navigator	002	cpe:2.3:a:ibm:content_navigator:002:::::::*
ibm	content_navigator	3.0.14	cpe:2.3:a:ibm:content_navigator:3.0.14:::::::*
ibm	content_navigator	005	cpe:2.3:a:ibm:content_navigator:005:::::::*
ibm	content_navigator	3.0.11	cpe:2.3:a:ibm:content_navigator:3.0.11:::::::*
ibm	content_navigator	016	cpe:2.3:a:ibm:content_navigator:016:::::::*