IBMAED218AA420FCBBD1BA803461EDF96E1905100705C042A55777CA70A78CF60F6Security Bulletin: TADDM is vulnerable to a denial of service due to vulnerability in SBLIM and Apache Commons Library
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
Summary
SBLIM and Apache Commons used by IBM Tivoli Application Dependency Discovery Manager and is vulnerable to CVE-2008-7230, CVE-2010-1937 and CVE-2012-2328
Vulnerability Details
CVEID:CVE-2008-7230
**DESCRIPTION:**An unspecified vulnerability in SBLIM-SFCB (Small Footprint CIM Broker) has an unknown impact and attack vector.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/48821 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:CVE-2010-1937
**DESCRIPTION:**SBLIM-SFCB is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the getPayload() function when verifying the provided size value using the Content-Length header. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/59025 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID:CVE-2012-2328
**DESCRIPTION:**SBLIM is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/76522 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0 -7.3.0.11 |
Remediation/Fixes
In order to fix this vulnerability, Please follow below steps:
**For TADDM 7.3.0.0-7.3.0.9,**Please upgrade your TADDM environment to latest versions (preferably 7.3.0.11) and then download the e-fix given in Table-1 and apply the e-fix.
**For TADDM 7.3.0.10 - 7.3.0.11,**Please download the e-fix given in Table-1 and apply the e-fix.
Table-1
Fix|
VRMF
| APAR|How to acquire fix
—|—|—|—
efix_sblim_ApacheCommons_FP11230825.zip|
7.3.0.11
| None| Download eFix
efix_sblim_ApacheCommons_FP10221123.zip|
7.3.0.10
| None| Download eFix
Please refer to the table below to download TADDM FixPack 7.3.0.11.
| Fix | How to acquire fix |
|---|---|
| 7.3-TIV-ITADDM-FP00011 | Download FixPack |
Please refer to the URL for TADDM FixPack 7.3.0.11 Release Notes containing more information about the update.
https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp11
Workarounds and Mitigations
None
Affected configurations
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High