Lucene search

IBMBC1C22C92E0CEE8467256F78F387FAEA6F852E767E00D35A6A75231D35E5F318

HistoryAug 04, 2022 - 1:03 p.m.

Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is vulnerable to sensitive information exposure due to GNU ncurses (CVE-2019-17595, CVE-2019-17594)

2022-08-0413:03:37

www.ibm.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

0.002 Low

EPSS

Percentile

50.9%

JSON

Summary

IBM Sterling Connect:Direct for UNIX Certified Container bundles ncurses as third party packages in its container image which has the vulnerability where attacker can obtain sensitive information. This fix updates ncurses to 6.1-9.20180224.el8.

Vulnerability Details

CVEID:CVE-2019-17595
**DESCRIPTION:**GNU ncurses could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168972 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-17594
**DESCRIPTION:**GNU ncurses could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168970 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Connect:Direct for UNIX	6.0.0
IBM Sterling Connect:Direct for UNIX	6.1.0
IBM Sterling Connect:Direct for UNIX	6.2.0

Remediation/Fixes

Product(s)	Version(s)	APAR	Remediation/Fix
IBM Sterling Connect:Direct for UNIX	6.2.0 IBM Certified Container	IT41640	Apply 6.2.0.4, see Downloading the Certified Container Software
IBM Sterling Connect:Direct for UNIX	6.1.0 IBM Certified Container	IT41640	Apply 6.2.0.4, see Downloading the Certified Container Software
IBM Sterling Connect:Direct for UNIX	6.0.0 IBM Certified Container	IT41640	Apply 6.2.0.4, see Downloading the Certified Container Software

Workarounds and Mitigations

None

CPENameOperatorVersion
sterling connect:direct for unixeq6.2.0
sterling connect:direct for unixeq6.1.0
sterling connect:direct for unixeq6.0.0

Name	Operator	Version
sterling connect:direct for unix	eq	6.2.0
sterling connect:direct for unix	eq	6.1.0
sterling connect:direct for unix	eq	6.0.0

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

0.002 Low

EPSS

Percentile

50.9%

JSON

Related for BC1C22C92E0CEE8467256F78F387FAEA6F852E767E00D35A6A75231D35E5F318