Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM9EAED1F5FB3762874ED935AF686A504F1630ADB20AA5EBFAE97EAEEEA4C0DAF8
HistoryFeb 21, 2022 - 4:39 a.m.

Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript.

2022-02-2104:39:05
www.ibm.com
28

EPSS

0.974

Percentile

99.9%

JSON

Summary

WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript. These vulnerabilities are addressed in App connect professional v7.5.4.0 and v7.5.5.0, customer can migrate to these versions without incurring any additional cost.

Vulnerability Details

CVEID:CVE-2019-11472
**DESCRIPTION:**ImageMagick is vulnerable to a denial of service, caused by a divide-by-zero error in the ReadXWDImage function in coders/xwd.c. By persuading a victim to open a specially-crafted XWD image file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160054 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-11470
**DESCRIPTION:**ImageMagick is vulnerable to a denial of service, caused by uncontrolled resource consumption in the ReadXWDImage function in coders/xwd.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160055 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-11597
**DESCRIPTION:**ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WritePNMImage function in coders/pnm.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service or possibly obtain sensitive information.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160255 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID:CVE-2014-9709
**DESCRIPTION:**gd-libgd is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by gd_gif_in.c. By sending a specially-crafted GIF file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/101757 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID:CVE-2019-11479
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a flaw when processing minimum segment size (MSS). By sending specially-crafted MSS traffic, a remote attacker could exploit this vulnerability to cause excess usage of system resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162665 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11477
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an integer overflow when processing TCP Selective Acknowledgement (SACK) capabilities. By sending specially-crafted SACKs requests, a remote attacker could exploit this vulnerability to cause a kernel panic condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162662 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11598
**DESCRIPTION:**ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WritePNMImage function in coders/pnm.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service or possibly obtain sensitive information.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160252 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID:CVE-2019-11478
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an issue with fragmenting the TCP retransmission queue when processing TCP Selective Acknowledgement (SACK) capabilities. By sending specially-crafted SACKs requests, a remote attacker could exploit this vulnerability to cause an excess of system resource usage.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162664 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11599
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a race condition in the coredump implementation. By using a specially-crafted system call, a local attacker could exploit this vulnerability to cause the application to crash or obtain sensitive information.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160262 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)

CVEID:CVE-2019-3885
**DESCRIPTION:**Pacemaker could allow a remote attacker to obtain sensitive information, caused by a use-after-free flaw. A remote attacker could exploit this vulnerability to obtain sensitive information from the system logs.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159857 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-2774
**DESCRIPTION:**ISC DHCP is vulnerable to a denial of service, caused by the failure to limit the number of open TCP connections to the ports for inter-process communications and control. By opening a large number of TCP connections, a remote attacker from within the local network could exploit this vulnerability to become unresponsive or consume all available sockets.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/111319 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-11068
**DESCRIPTION:**libxslt could allow a remote attacker to bypass security restrictions, caused by a flaw in the xsltCheckRead and xsltCheckWrite routines. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159898 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-10131
**DESCRIPTION:**ImageMagick is vulnerable to a denial of service, caused by an off-by-one read flaw in the formatIPTCfromBuffer function in coders/meta.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160672 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-1120
**DESCRIPTION:**procps-ng procps is vulnerable to a denial of service, caused by improper validation of user-supplied request. By mmaping a FUSE file to the process command-line arguments, a remote attacker could exploit this vulnerability to block read access to the files under /proc/PID/.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/143450 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-10650
**DESCRIPTION:**ImageMagick is vulnerable to a denial of service, caused by a heap-based buffer over-read in the WriteTIFFImage function in coders/tiff.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160121 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-5436
**DESCRIPTION:**cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet() function. By sending overly long data, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161431 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-3838
**DESCRIPTION:**Ghostscript could allow a remote attacker to bypass security restrictions, caused by improper usage of forceput operator. By persuading a victim to open a specially-crafted PostScript file, a remote attacker could exploit this vulnerability to gain access to the file system outside of the constraints imposed by -dSAFER.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158503 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2018-16877
**DESCRIPTION:**Pacemaker could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the authentication in the client server. An attacker could exploit this vulnerability to escalate privileges.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159859 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-16878
**DESCRIPTION:**Pacemaker is vulnerable to a denial of service, caused by insufficient verification inflicted preference of uncontrolled processes. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
WebSphere Cast Iron 7.5.1.0
App Connect Professional 7.5.2.0
App Connect Professional 7.5.4.0
App Connect Professional 7.5.5.0

Remediation/Fixes

Affected Product(s) Version(s) Remediation
App Connect Professional 7.5.4.0 7540 Fixcentral link
App Connect Professional 7.5.5.0 7550 Fixcentral link

Workarounds and Mitigations

None

Related

nessus 79
openvas 29
fedora 5
suse 4
ubuntu 3
ibm 19
redhat 16
oraclelinux 6
amazon 3
mageia 4
arista 1
myhack58 1
archlinux 4
mscve 1
fortinet 1
attackerkb 1
citrix 2
centos 2
checkpoint_security 1
gentoo 1
paloalto 1
symantec 1
threatpost 1
virtuozzo 4
zdt 1
cert 1
ics 1
freebsd 1
vmware 2
cloudfoundry 1
osv 1
debian 1
nessus
nessus
EulerOS 2.0 SP5 : ImageMagick (EulerOS-SA-2019-1583)
2019-05-29 00:00:00
Fedora 29 : pacemaker (2019-b502250ba4)
2019-05-06 00:00:00
Amazon Linux 2 : pacemaker (ALAS-2019-1275)
2019-08-28 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for ImageMagick (EulerOS-SA-2019-1583)
2020-01-23 00:00:00
Huawei EulerOS: Security Advisory for ImageMagick (EulerOS-SA-2019-1581)
2020-01-23 00:00:00
Fedora Update for pacemaker FEDORA-2019-b502250ba4
2019-05-07 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: pacemaker-1.1.18-3.fc28
2019-05-04 01:17:47
[SECURITY] Fedora 29 Update: pacemaker-2.0.0-5.fc29
2019-05-05 02:44:11
[SECURITY] Fedora 30 Update: pacemaker-2.0.1-2.fc30
2019-04-23 23:44:10
suse
suse
Security update for pacemaker (important)
2019-05-15 00:00:00
Security update for ImageMagick (moderate)
2019-07-01 00:00:00
Security update for pacemaker (important)
2019-05-08 00:00:00
ubuntu
ubuntu
Pacemaker vulnerabilities
2019-04-23 00:00:00
Linux kernel vulnerabilities
2019-06-17 00:00:00
Linux kernel vulnerabilities
2019-06-17 00:00:00
ibm
ibm
Security Bulletin: IBM MQ is affected by multiple vulnerabilities in Pacemaker
2020-12-18 14:09:33
Security Bulletin: IBM MQ Appliance is affected by Pacemaker vulnerabilities (CVE-2018-16878, CVE-2018-16877, CVE-2019-3885)
2020-12-18 18:18:11
Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2019-11479, CVE-2019-11478, CVE-2019-11477)
2020-01-29 16:27:06
redhat
redhat
(RHSA-2019:1279) Important: pacemaker security and bug fix update
2019-05-27 15:45:19
(RHSA-2019:1278) Important: pacemaker security update
2019-05-27 15:45:15
(RHSA-2019:1484) Important: kernel security and bug fix update
2019-06-17 19:12:10
oraclelinux
oraclelinux
pacemaker security and bug fix update
2019-07-30 00:00:00
Unbreakable Enterprise kernel security update
2019-06-17 00:00:00
Unbreakable Enterprise kernel security update
2019-06-17 00:00:00
amazon
amazon
Important: pacemaker
2019-08-23 03:37:00
Critical: kernel
2019-06-13 21:37:00
Critical: kernel
2019-06-13 22:11:00
mageia
mageia
Updated pacemaker packages fix security vulnerabilities
2019-12-19 16:44:26
Updated kernel packages fix security vulnerability
2019-06-21 04:07:01
Updated kernel-tmb packages fix security vulnerability
2019-06-21 04:07:01
arista
arista
Security Advisory 0041
2019-06-26 00:00:00
myhack58
myhack58
CVE-2019-11477: Linux kernel TCP SACK mechanism remote Dos early warning analysis-vulnerability warning-the black bar safety net
2019-06-19 00:00:00
archlinux
archlinux
[ASA-201906-14] linux-lts: denial of service
2019-06-18 00:00:00
[ASA-201906-12] linux-hardened: denial of service
2019-06-17 00:00:00
[ASA-201906-13] linux: denial of service
2019-06-18 00:00:00
mscve
mscve
Linux Kernel TCP SACK Denial of Service Vulnerability
2019-06-28 07:00:00
fortinet
fortinet
TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479
2019-11-29 00:00:00
attackerkb
attackerkb
TCP SACK PANIC
2020-02-13 00:00:00
citrix
citrix
Citrix SD-WAN Security Update
2019-09-11 04:00:00
Citrix Hypervisor Security Update.
2019-07-08 04:00:00
centos
centos
bpftool, kernel, perf, python security update
2019-06-19 00:21:01
kernel, perf, python security update
2019-06-19 00:19:05
checkpoint_security
checkpoint_security
Check Point response to TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479
2019-06-18 05:16:31
gentoo
gentoo
Pacemaker: Multiple Vulnerabilities
2023-09-29 00:00:00
paloalto
paloalto
Information about TCP SACK Panic Findings in PAN-OS
2019-06-27 00:00:00
symantec
symantec
Linux Kernel Vulnerabilities May-June 2019
2019-09-05 08:00:00
threatpost
threatpost
Linux Kernel Bug Knocks PCs, IoT Gadgets and More Offline
2019-06-18 18:43:50
virtuozzo
virtuozzo
Important kernel security update: New kernel 2.6.32-042stab139.1; Virtuozzo 6.0 Update 12 Hotfix 43 (6.0.12-3743)
2019-06-20 00:00:00
Important kernel security update: New kernel 2.6.32-042stab139.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0
2019-06-20 00:00:00
Kernel update: Virtuozzo ReadyKernel patch 82.2 for Virtuozzo 7.0.8 HF1 and 7.0.10 HF1
2019-06-27 00:00:00
zdt
zdt
Linux / FreeBSD TCP-Based Denial Of Service Vulnerability
2019-06-18 00:00:00
cert
cert
Multiple TCP Selective Acknowledgement (SACK) and Maximum Segment Size (MSS) networking vulnerabilities may cause denial-of-service conditions in Linux and FreeBSD kernels
2019-06-20 00:00:00
ics
ics
Siemens Industrial Products (Update R)
2022-05-12 12:00:00
freebsd
freebsd
ImageMagick -- multiple vulnerabilities
2019-03-07 00:00:00
vmware
vmware
VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)
2019-07-02 00:00:00
VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)
2019-07-02 00:00:00
cloudfoundry
cloudfoundry
USN-4017-1: Linux kernel vulnerabilities | Cloud Foundry
2019-07-03 00:00:00
osv
osv
pacemaker - security update
2021-01-06 00:00:00
debian
debian
[SECURITY] [DLA 2519-1] pacemaker security update
2021-01-06 22:25:21

EPSS

0.974

Percentile

99.9%

JSON
Related for 9EAED1F5FB3762874ED935AF686A504F1630ADB20AA5EBFAE97EAEEEA4C0DAF8
nessus79openvas29fedora5suse4ubuntu3ibm19redhat16oraclelinux6amazon3mageia4arista1myhack581archlinux4mscve1fortinet1attackerkb1citrix2centos2checkpoint_security1gentoo1paloalto1symantec1threatpost1virtuozzo4zdt1cert1ics1freebsd1vmware2cloudfoundry1osv1debian1