Lucene search

K
ibmIBMA5BDBA48582E84D9D511148A7D6686E035238126382034F25D0DE3123B69FAB0
HistoryMay 10, 2020 - 6:01 p.m.

Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-12406)

2020-05-1018:01:56
www.ibm.com
4

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

Summary

IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability

Vulnerability Details

CVEID:CVE-2019-12406
**DESCRIPTION:**Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Private 3.2.1 CD
IBM Cloud Private 3.2.0 CD

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

  • IBM Cloud Private 3.2.0
  • IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply March fix pack:

For IBM Cloud Private 3.2.1, apply March fix pack:

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  • Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1.
  • If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

Related for A5BDBA48582E84D9D511148A7D6686E035238126382034F25D0DE3123B69FAB0