Lucene search

IBMA3B3A4AC15A26AB0D267AA4DBB43A27F81DBCC3957296E174B54A666F0CD76DD

HistoryApr 11, 2024 - 7:06 p.m.

Security Bulletin: IBM DevOps Deploy / IBM Urbancode Deploy (UCD) is vulnerable to denial of service due to Apache Commons Compress ( CVE-2024-25710, CVE-2024-26308 )

2024-04-1119:06:08

www.ibm.com

ibm urbancode deploy

ucd

apache commons compress

denial of service

cve-2024-25710

cve-2024-26308

vulnerability

out of memory error

pack200 file

dump file

remote attacker

cvss score

upgrade

versions

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

Summary

Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error.

Vulnerability Details

CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
UCD - IBM UrbanCode Deploy	7.0 - 7.0.5.20
UCD - IBM UrbanCode Deploy	7.1 - 7.1.2.16
UCD - IBM UrbanCode Deploy	7.2 - 7.2.3.9
UCD - IBM UrbanCode Deploy	7.3 - 7.3.2.4
UCD - IBM DevOps Deploy	8.0 - 8.0.0.1

Remediation/Fixes

IBM strongly suggests the following:

Upgrade affected versions to any of 7.0.5.21, 7.1.2.17, 7.2.3.10, 7.3.2.5, or 8.0.1.0 or later

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmurbancode_deployMatch8.0.1.1

CPENameOperatorVersion
ibm urbancode deployeq8.0.1.1

CPE	Name	Operator	Version
	ibm urbancode deploy	eq	8.0.1.1

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

Related for A3B3A4AC15A26AB0D267AA4DBB43A27F81DBCC3957296E174B54A666F0CD76DD