IBM95D9AFC4655943EDAE6EBBCD407B90AF64F2A532BC781A989AA34DBC4C52C616Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2018-1058, CVE-2018-10936, CVE-2019-9193)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
Summary
IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerabilities 3 issues for Postgresql: 1 for a flaw in the search_path setting2, 1 for a failure to check the host name if a host name verifier was not provided to the driver and 1 for a flaw in the COPY TO/FROM PROGRAM function.
Vulnerability Details
CVEID:CVE-2018-1058
**DESCRIPTION:**Postgresql could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the search_path setting. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code with the permissions of superuser in the database.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/139844 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2018-10936
**DESCRIPTION:**Postgresql is vulnerable to a man-in-the-middle attack, caused by the failure to check the host name if a host name verifier was not provided to the driver. By using a specially-crafted SSL certificate, an attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/149157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVEID:CVE-2019-9193
**DESCRIPTION:**PostgreSQL could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the COPY TO/FROM PROGRAM function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of the database’s operating system user.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159212 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Identity Governance and Intelligence | 5.2.6 |
Remediation/Fixes
| Affected Product(s) | Version(s) | First Fix |
|---|---|---|
| IBM Security Identity Governance and Intelligence | 5.2.6 | 5.2.6.0-ISS-SIGI-FP0001 |
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security identity governance and intelligence | eq | 5.2.6 |
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C