Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Open Source vulnerabilities

2020-01-1008:06:20

www.ibm.com

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

JSON

Summary

IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the open source vulnerabilities.

Vulnerability Details

CVEID:CVE-2019-9824
**DESCRIPTION:**tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158312 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

WebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0

WebSphere Cast Iron v 7.0.0.0, 7.0.0.1, 7.0.0.2

App Connect Professional v 7.5.2.0

App Connect Professional v 7.5.3.0

Remediation/Fixes

Product	VRMF	Remediation/First Fix
IBM Cast Iron	7.0.0.0
7.0.0.1
7.0.0.2	7002 Fixcentral Link
IBM Cast Iron	7.5.0.0
7.5.0.1
7.5.1.0	7510 fixcentral Link
App Connect Professional	7.5.2.0	7520 Fixcentral link
App Connect Professional	7.5.3.0	7530 Fixcentral link

Workarounds and Mitigations

None

CPENameOperatorVersion
websphere cast iron v 7.5.0.0, 7.5.0.1,eq7.5.1.0
websphere cast iron v 7.0.0.0, 7.0.0.1, eq7.0.0.2
app connect professional  veq7.5.2.0
app connect professional  veq7.5.3.0

Name	Operator	Version
websphere cast iron v 7.5.0.0, 7.5.0.1,	eq	7.5.1.0
websphere cast iron v 7.0.0.0, 7.0.0.1,	eq	7.0.0.2
app connect professional v	eq	7.5.2.0
app connect professional v	eq	7.5.3.0