Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-12406)

Summary

There is a denial of service in the Apache CXF library used by WebSphere Application Server. This has been addressed.

Vulnerability Details

CVEID:CVE-2019-12406
**DESCRIPTION:**Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Upgrade to IBM Watson Compare and Comply for IBM Cloud Pak for Data 1.1.8. To download the software, go to Passport Advantage, then search for “watson compare and comply for ICP for Data”, then select IBM Watson Compare and Comply for ICP for Data V1.1.8 Linux English , part number CC6J1EN.

Workarounds and Mitigations

None