Lucene search

K
ibmIBM869D3B2E67F71714B7C5159A34A85E522DF442E8B9F951EDA2D9D91583A1A49B
HistoryMay 20, 2020 - 3:25 p.m.

Security Bulletin: IBM API Connect is impacted by vulnerabilities in PHP (CVE-2020-7060, CVE-2020-7059)

2020-05-2015:25:37
www.ibm.com
11

0.004 Low

EPSS

Percentile

74.1%

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2020-7060
**DESCRIPTION:**PHP is vulnerable to a buffer overflow, caused by improper bounds checking by the mbfl_filt_conv_big5_wchar function. By sending specially crafted data, a remote attacker could overflow a buffer and obtain sensitive information or cause the application to crash.

CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175204 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-7059
**DESCRIPTION:**PHP is vulnerable to denial of service, caused by an out-of-bounds read in php_strip_tags_ex. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175030 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
API Connect IBM API Connect V2018.4.1.0-2018.4.1.10
API Connect IBM API Connect V5.0.0.0-5.0.8.7

Remediation/Fixes

Affected Product

|

Addressed in VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—

IBM API Connect

V5.0.0.0-5.0.8.7

| 5.0.8.8 | LI81501 | Addressed in IBM API Connect V5.0.8.8

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V2018.4.1.0-2018.4.1.10

| 2018.4.1.11 | LI81501 |

Addressed in IBM API Connect V2018.4.1.11

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None