Lucene search

IBM86869C7E41E90A6B8ECD238ED7629A0C9701C7236E348BE88B6F1ED9120F3CAF

HistoryAug 29, 2022 - 2:27 a.m.

Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-45346)

2022-08-2902:27:10

www.ibm.com

sqlite

ibm cloud

application performance management

vulnerability

memory leak

ibm tivoli

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

60.6%

JSON

Summary

A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicous user obtain sensitive information.

Vulnerability Details

CVEID:CVE-2021-45346
**DESCRIPTION:**SQLite could allow a local authenticated attacker to obtain sensitive information, caused by a memory leak. By sending a specially-crafted SQL query via editing the database file, an attacker could exploit this vulnerability to obtain sensitive information from subsequent bytes of the queried record from memory.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219912 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Composite Application Manager for Transactions (Response Time)	7.4.0.2
IBM Cloud Application Performance Management - Response Time Monitoring Agent	8.1.4
IBM Tivoli Composite Application Manager for Transactions (Response Time)	7.4.0.1

Remediation/Fixes

Product	Product Version	Remediation / First Fix
IBM Cloud Application Performance Management - Response Time Monitoring Agent	8.1.4	If you use the Response Time Monitoring Agent, the vulnerabilities can be remediated by applying the Response Time Monitoring Agent 8.1.4.0-IBM-APM-RT-AGENT-IF0013 patch to all systems where this agent is installed:
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Application+Performance+Management+Advanced&fixids=8.1.4.0-IBM-APM-RT-AGENT-IF0013&source=SAR
IBM Tivoli Composite Application Manager for Transactions (Response Time)	7.4.0.1	7.4.0.1-TIV-CAMRT-IF0059
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Composite+Application+Manager+for+Transactions&fixids=7.4.0.1-TIV-CAMRT-IF0059&source=SAR
IBM Tivoli Composite Application Manager for Transactions (Response Time)	7.4.0.2	7.4.0.2-TIV-CAMRT-IF0018
http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Composite+Application+Manager+for+Transactions&fixids=7.4.0.2-TIV-CAMRT-IF0018&source=SAR

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmtivoli_monitoring_for_databasesMatch8.1.4

ibmtivoli_monitoring_for_databasesMatch7.4.0.1

ibmtivoli_monitoring_for_databasesMatch7.4.0.2

CPENameOperatorVersion
tivoli monitoring for transaction performanceeq8.1.4
tivoli monitoring for transaction performanceeq7.4.0.1
tivoli monitoring for transaction performanceeq7.4.0.2

Name	Operator	Version
tivoli monitoring for transaction performance	eq	8.1.4
tivoli monitoring for transaction performance	eq	7.4.0.1
tivoli monitoring for transaction performance	eq	7.4.0.2