Lucene search

K
ibmIBM9D10729AB8873D23F2244363D8A1DDDC6F4683B3420052FC513112D30B8E6FC8
HistoryOct 06, 2021 - 12:30 p.m.

Security Bulletin: IBM Security Guardium Insights is affected by Components with known vulnerabilities

2021-10-0612:30:35
www.ibm.com
29
ibm security guardium insights
netty
http request smuggling
httpobjectdecoder
denial of service
cve-2019-16869
cve-2019-20444
cve-2019-20445
cve-2020-11612
cvss
remote attacker
xss attacks
web cache
web application firewall protection
zlibencoded byte stream
2.0.1
security bulletin
known vulnerabilities
system attacks

EPSS

0.022

Percentile

89.7%

Summary

IBM Security Guardium Insights has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2019-16869
**DESCRIPTION:**Netty is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual whitespaces before the colon in HTTP headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167672 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-20444
**DESCRIPTION:**Netty is vulnerable to HTTP request smuggling, caused by a flaw in the HttpObjectDecoder.java. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175487 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-20445
**DESCRIPTION:**Netty could provide weaker than expected security, caused by non-proper handling of Content-Length and Transfer-Encoding in the HttpObjectDecoder.java. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175486 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-11612
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by unbounded memory allocation while decoding a ZlibEncoded byte stream in the ZlibDecoders. By sending a large ZlibEncoded byte stream, a remote attacker could exploit this vulnerability to exhaust memory resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Guardium Insights 2.0.1

Remediation/Fixes

Product

|

VRMF

|

Remediation / First Fix

—|—|—
IBM Security Guardium Insights| 2.0.1| https://www.ibm.com/software/passportadvantage/?mhsrc=ibmsearch_a&mhq=pasport%20advantage

Workarounds and Mitigations

None

EPSS

0.022

Percentile

89.7%