Lucene search

K
ibmIBMA14074B63DD301417E9DF0F0CA920DF28041AE6FB1B473141F78ECFEA97F3165
HistoryApr 14, 2020 - 11:48 a.m.

Security Bulletin: A vulnerability in Netty affects the IBM Performance Management product (CVE-2019-16869)

2020-04-1411:48:56
www.ibm.com
21
netty
http request smuggling
cache poisoning
firewall
xss attacks
ibm performance management
ibm cloud apm 8.1.4
patch
remediation

EPSS

0.022

Percentile

89.7%

Summary

Netty is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual whitespaces before the colon in HTTP headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. IBM Performance Management has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2019-16869
**DESCRIPTION:**Netty is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual whitespaces before the colon in HTTP headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167672 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud APM 8.1.4
IBM Cloud APM, Advanced Private 8.1.4
IBM Cloud APM, Base Private 8.1.4

Remediation/Fixes

IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private| 8.1.4|

The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0010 or later server patch to the system where the Cloud APM server is installed: <https://www.ibm.com/support/pages/node/6120993&gt;

The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-GATEWAY-IF0008 or later Hybrid Gateway patch to the system where the Hybrid Gateway is installed: <https://www.ibm.com/support/pages/node/6125031&gt;

—|—|—

IBM Cloud Application Performance Management

| N/A|

The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-GATEWAY-IF0008 or later Hybrid Gateway patch to the system where the Hybrid Gateway is installed: <https://www.ibm.com/support/pages/node/6125031&gt;

Workarounds and Mitigations

None

EPSS

0.022

Percentile

89.7%