Lucene search

IBM93A47D25901191E1884C82DE1A1397BD557ACD516C2270C6651362186C9956C7

HistoryApr 06, 2021 - 5:20 p.m.

Security Bulletin: IBM API Connect V5 is impacted by a denial of service (DoS) vulnerability in NTP (CVE-2020-15025)

2021-04-0617:20:36

www.ibm.com

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2020-15025
**DESCRIPTION:**NTP is vulnerable to a denial of service, caused by a memory leak when a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file in ntpd. By sending specially-crafted packets, a remote authenticated attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
API Connect	IBM API Connect V5.0.0.0-5.0.8.10

Remediation/Fixes

Affected Product

Addressed in VRMF

APAR

Remediation / First Fix

—|—|—|—

IBM API Connect

V5.0.0.0-5.0.8.10

5.0.8.11

| LI82046|

Addressed in IBM API Connect V5.0.8.11

Management server is impacted.

Follow this link and find the “Management” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

Refer to 5.0.8.11 announce notes for important information on upgrade: <https://www.ibm.com/support/pages/node/6429049>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq5.0.0.0
ibm api connecteq5.0.8.10

CPE	Name	Operator	Version
	ibm api connect	eq	5.0.0.0
	ibm api connect	eq	5.0.8.10

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

Related for 93A47D25901191E1884C82DE1A1397BD557ACD516C2270C6651362186C9956C7