Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM8A3B4149E7EAB3A7478E92C55ED495F70AD25B6A33537799F9CFBD490835D8BD
HistoryMar 30, 2020 - 9:06 a.m.

Security Bulletin: Multiple vulnerabilities in Jasper used in Jetty 8.1.3 Server where Rational Change is deployed

2020-03-3009:06:54
www.ibm.com
13

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

There are multiple vulnerabilities in Jasper, Version 2 Service Refresh 2 Fix Pack 2, used by Jetty 8.1.3 is affecting IBM Rational Change.

Vulnerability Details

The following are the list of vulnerabilities affecting IBM Rational Change:

CVEID: CVE-2017-7658 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 6.5 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/145522&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2018-12536 DESCRIPTION: Eclipse Jetty could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL request to the java.nio.file.InvalidPathException function using an invalid parameter to cause an error message to be returned containing the full installation path. An attacker could use this information to launch further attacks against the affected system. CVSS Base Score: 5.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/145523&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-7656 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw in the HTTP/1.x Parser. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 6.5 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/145520&gt;_ for the current score. CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2017-7657 DESCRIPTION: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 6.5 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/145521&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2018-18873 DESCRIPTION: JasPer is vulnerable to a denial of service, caused by a NULL pointer dereference in the ras_putdatastd function in ras/ras_enc.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base Score: 3.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/152318&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-19139 DESCRIPTION: JasPer is vulnerable to a denial of service, caused by a memory leak in jas_malloc.c when called from jpc_unk_getparms in jpc_cs.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/153097&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-20584 DESCRIPTION: JasPer is vulnerable to a denial of service, caused by a flaw when converting the output to jp2 format. By using a specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to hang. CVSS Base Score: 5.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/154954&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-20570 DESCRIPTION: JasPer is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the jp2_encode function in jp2/jp2_enc.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/154998&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-20622 DESCRIPTION: JasPer could allow a remote attacker to obtain sensitive information, caused by a memory leak in base/jas_malloc.c in libjasper.a when “–output-format jp2” is used. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 3.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/155056&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-10247 DESCRIPTION: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/160610&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-12545 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 7.5 CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/161491&gt;_ for the current score. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Rational Change 5.3.1, 5.3.1.1 and 5.3.1.2.

Remediation/Fixes

Product

| VRMF |APAR|Remediation/First Fix
—|—|—|—
Rational Change | 5.3.1, 5.3.1.1, 5.3.1.2. | None. |

Upgrade to Rational Change 5.3.2 supporting Jetty 9.4.14 from IBM Passport Advantage and apply it.

NOTE:

Download the Rational Synergy 7.2.2 installation image by referring to the installation platform and its part number in the following list:

  • IBM Rational Change V5.3.2 Multi-platform Multilingual (CC5T0ML) - Windows and Linux included.

Workarounds and Mitigations

None

Related

ibm 42
nessus 20
fedora 3
openvas 22
osv 22
debian 4
f5 4
redhatcve 11
ubuntucve 11
cve 12
prion 11
checkpoint_advisories 1
debiancve 6
veracode 7
suse 2
github 6
symantec 2
broadcom 1
atlassian 1
mageia 1
freebsd 1
hackerone 1
ubuntu 1
redhat 5
gentoo 1
thn 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Jasper used in Jetty 8.1.3 Server where Rational Synergy is deployed
2020-12-22 18:18:53
Security Bulletin: IBM QRadar SIEM is vulnerable to Jetty Vulnerabilities (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536)
2019-11-06 19:05:46
Security Bulletin: Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of chunked transfer-encoding chunk size. IBM Rational Service Tester is affected by this vulnerability.
2019-01-03 15:15:01
nessus
nessus
Fedora 28 : jetty (2018-48b73ed393)
2019-01-03 00:00:00
Fedora 27 : jetty (2018-93a507fd0f)
2018-07-13 00:00:00
Debian DSA-4278-1 : jetty9 - security update
2018-08-20 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: jetty-9.4.11-2.v20180605.fc28
2018-07-12 14:21:30
[SECURITY] Fedora 27 Update: jetty-9.4.11-2.v20180605.fc27
2018-07-12 13:47:39
[SECURITY] Fedora 28 Update: jetty-9.4.11-3.v20180605.fc28
2019-05-03 01:36:11
openvas
openvas
Fedora Update for jetty FEDORA-2018-48b73ed393
2018-07-15 00:00:00
Fedora Update for jetty FEDORA-2018-93a507fd0f
2018-07-15 00:00:00
Debian: Security Advisory (DSA-4278-1)
2018-08-18 00:00:00
osv
osv
jetty9 - security update
2018-08-19 00:00:00
jasper - security update
2019-01-02 00:00:00
CVE-2018-20622
2018-12-31 19:29:00
debian
debian
[SECURITY] [DSA 4278-1] jetty9 security update
2018-08-19 21:21:38
[SECURITY] [DLA 1628-1] jasper security update
2019-01-02 22:57:11
[SECURITY] [DLA 2661-1] jetty9 security update
2021-05-14 13:28:53
f5
f5
K10002140 : Eclipse Jetty vulnerabilities CVE-2017-7657 and CVE-2017-7658
2022-04-05 00:00:00
K33548065 : Eclipse Jetty vulnerability CVE-2018-12536
2022-03-28 00:00:00
K41412302 : Jetty vulnerability CVE-2019-10247
2020-12-01 00:00:00
redhatcve
redhatcve
CVE-2018-20570
2020-01-19 21:41:34
CVE-2018-19139
2018-11-12 23:19:34
CVE-2018-20584
2019-01-09 21:52:00
ubuntucve
ubuntucve
CVE-2018-19139
2018-11-09 00:00:00
CVE-2018-12545
2019-03-27 00:00:00
CVE-2018-20622
2018-12-31 00:00:00
cve
cve
CVE-2018-19139
2018-11-09 21:29:00
CVE-2018-20570
2018-12-28 16:29:00
CVE-2018-12545
2019-03-27 20:29:00
prion
prion
Null pointer dereference
2018-10-31 16:29:00
Format string
2018-12-30 05:29:00
Memory corruption
2018-12-31 19:29:00
checkpoint_advisories
checkpoint_advisories
Eclipse Jetty Denial-of-service (CVE-2018-12545)
2019-11-25 00:00:00
debiancve
debiancve
CVE-2018-12545
2019-03-27 20:29:00
CVE-2018-12536
2018-06-27 17:29:00
CVE-2019-10247
2019-04-22 20:29:00
veracode
veracode
Denial Of Service (DoS)
2019-07-08 08:31:17
Denial Of Service (DoS)
2018-11-01 08:15:29
Information Disclosure
2018-06-26 16:29:06
suse
suse
Security update for jasper (moderate)
2020-09-25 00:00:00
Security update for jasper (moderate)
2020-09-24 00:00:00
github
github
Eclipse Jetty Server generates error message containing sensitive information
2018-10-19 16:15:56
Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server
2019-03-28 18:33:38
Installation information leak in Eclipse Jetty
2019-04-23 16:07:12
symantec
symantec
Eclipse Jetty CVE-2019-10247 Information Disclosure Vulnerability
2019-06-11 00:00:00
Eclipse Jetty CVE-2017-7656 Security Vulnerability
2018-06-07 00:00:00
broadcom
broadcom
A remote attacker can supply specially crafted transfer-encoding chunks to Eclipse Jetty that may bypass the authorization checks of an intermediary caching proxy.
2023-08-29 00:00:00
atlassian
atlassian
Cache Poisoning org.eclipse.jetty:jetty-server in Jira Software Data Center and Server
2023-09-26 16:17:11
mageia
mageia
Updated jasper packages fix security vulnerabilities
2020-08-18 23:43:16
freebsd
freebsd
jasper -- multiple vulnerabilities
2020-07-28 00:00:00
hackerone
hackerone
Internet Bug Bounty: Multiple HTTP Smuggling reports
2019-07-17 22:47:10
ubuntu
ubuntu
JasPer vulnerabilities
2021-01-11 00:00:00
redhat
redhat
(RHSA-2019:0910) Important: Red Hat Fuse 7.3 security update
2019-04-30 15:17:04
(RHSA-2020:3779) Important: Red Hat Data Grid 7.3.7 security update
2020-09-17 13:03:47
(RHSA-2020:0983) Important: Red Hat Fuse 7.6.0 security update
2020-03-26 15:40:22
gentoo
gentoo
JasPer: Multiple vulnerabilities
2019-08-09 00:00:00
thn
thn
Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems
2021-08-23 13:27:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for 8A3B4149E7EAB3A7478E92C55ED495F70AD25B6A33537799F9CFBD490835D8BD
ibm42nessus20fedora3openvas22osv22debian4f54redhatcve11ubuntucve11cve12prion11checkpoint_advisories1debiancve6veracode7suse2github6symantec2broadcom1atlassian1mageia1freebsd1hackerone1ubuntu1redhat5gentoo1thn1