Lucene search

IBM869D3B2E67F71714B7C5159A34A85E522DF442E8B9F951EDA2D9D91583A1A49B

HistoryMay 20, 2020 - 3:25 p.m.

Security Bulletin: IBM API Connect is impacted by vulnerabilities in PHP (CVE-2020-7060, CVE-2020-7059)

2020-05-2015:25:37

www.ibm.com

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

JSON

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2020-7060
**DESCRIPTION:**PHP is vulnerable to a buffer overflow, caused by improper bounds checking by the mbfl_filt_conv_big5_wchar function. By sending specially crafted data, a remote attacker could overflow a buffer and obtain sensitive information or cause the application to crash.

CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175204 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-7059
**DESCRIPTION:**PHP is vulnerable to denial of service, caused by an out-of-bounds read in php_strip_tags_ex. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175030 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
API Connect	IBM API Connect V2018.4.1.0-2018.4.1.10
API Connect	IBM API Connect V5.0.0.0-5.0.8.7

Remediation/Fixes

Affected Product

Addressed in VRMF

APAR

Remediation / First Fix

—|—|—|—

IBM API Connect

V5.0.0.0-5.0.8.7

| 5.0.8.8 | LI81501 | Addressed in IBM API Connect V5.0.8.8

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V2018.4.1.0-2018.4.1.10

| 2018.4.1.11 | LI81501 |

Addressed in IBM API Connect V2018.4.1.11

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq5.0.0.0
ibm api connecteq5.0.8.7
ibm api connecteq2018.4.1.0
ibm api connecteq2018.4.1.10

Name	Operator	Version
ibm api connect	eq	5.0.0.0
ibm api connect	eq	5.0.8.7
ibm api connect	eq	2018.4.1.0
ibm api connect	eq	2018.4.1.10

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

JSON

Related for 869D3B2E67F71714B7C5159A34A85E522DF442E8B9F951EDA2D9D91583A1A49B