Lucene search

IBMB36D4D104A4F6AABE76B2FD840B292FAFEABCFA232BB38EEB768F68D12E9D548

HistoryJan 19, 2021 - 4:05 p.m.

Security Bulletin: A vulnerability has been identified in Apache HttpClient shipped with IBM Spectrum Scale Transparent Cloud Tiering (CVE-2020-13956)

2021-01-1916:05:13

www.ibm.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Summary

Apache HttpClient is a component shipped with IBM Spectrum Scale Transparent Cloud Tiering. Information about security vulnerabilities affecting Apache HttpClient has been published. (CVE-2020-13956)

Vulnerability Details

CVEID:CVE-2020-13956
**DESCRIPTION:**Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
gpfs.tct.server	1.1.2
gpfs.tct.server	1.1.6
gpfs.tct.client	1.1.3
gpfs.tct.server	1.1.1
gpfs.tct.server	1.1.5
gpfs.tct.server	1.1.7
gpfs.tct.server	1.1.3
gpfs.tct.server	1.1.8

Remediation/Fixes

For Transparent Cloud Tiering 1.1.1.0 thru 1.1.8.2, apply Transparent Cloud Tiering 1.1.8.3 bundled with IBM Spectrum Scale V5.1.0.1 available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.0&platform=All&function=all

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum scaleeq1.1.1.0
ibm spectrum scaleeq1.1.8.2

CPE	Name	Operator	Version
	ibm spectrum scale	eq	1.1.1.0
	ibm spectrum scale	eq	1.1.8.2

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Related for B36D4D104A4F6AABE76B2FD840B292FAFEABCFA232BB38EEB768F68D12E9D548