CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
83.4%
There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8.0.5.25 and earlier that is used by IMS™ Enterprise Suite: Explorer for Development. This issue was disclosed as part of the IBM Java SDK updates in January 2019.
The transparent NTLM authentication implementation in java.net.HttpURLConnection exposes the user’s NTLM credentials to any server that requests them.
The fix disables transparent NTLM authentication by default. A new system property (jdk.http.ntlm.transparentAuth) allows the user to enable transparent NTLM authentication for all hosts or trusted hosts only.
This issue applies to products or applications that use java.net.HttpURLConnection or javax.net.ssl.HttpsURLConnection.
The only solution is to upgrade the JRE.
Explorer for Development of the IMS™ Enterprise Suite Versions 3.3.1 and earlier.
Product
|
VRMF
|
APAR
|
Download URL
—|—|—|—
IMS Enterprise Suite Explorer for Development V3.3
|
3.3.1.14
|
N/A
|
_https://developer.ibm.com/mainframe/products/downloads/eclipse-tools/_
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ims_enterprise_suite | 3.3.1 | cpe:2.3:a:ibm:ims_enterprise_suite:3.3.1:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
83.4%