IBMBEC5CE0A39BF468C1CF717499397D0B4CFE3022F0DBE143403F4FBF431616E65Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202)
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
52.7%
Summary
The connect image in IBM Security Verify Information Queue (ISIQ) v10.0.2 uses an older version of the Oracle JDBC jar file that has multiple vulnerabilities. ISIQ v10.0.3 upgraded its connect image to include a newer Oracle JDBC jar that remediates the vulnerabilities. (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202)
Vulnerability Details
CVEID:CVE-2019-2444
**DESCRIPTION:**An unspecified vulnerability in Oracle Database Server related to the Core RDBMS component could allow an authenticated attacker to take control of the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/155761 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2019-2619
**DESCRIPTION:**An unspecified vulnerability in Oracle Database Server related to the Portable Clusterware component could allow an authenticated attacker to take control of the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159715 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2017-10321
**DESCRIPTION:**An unspecified vulnerability in Oracle Database Server related to the Core RDBMS component could allow an authenticated attacker to take control of the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133750 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2017-10202
**DESCRIPTION:**An unspecified vulnerability in Oracle Database Server related to the OJVM component could allow an authenticated attacker to take control of the system.
CVSS Base score: 9.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/128941 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Verify Information Queue | 10.0.2 |
Remediation/Fixes
IBM encourages customers to update their systems promptly.
Download and install the latest ISIQ images, tagged at 10.0.3 or greater, from the ISIQ Starter Kit page at <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security verify information queue | eq | 10.0.2 |
Related
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
52.7%