Lucene search

IBMBFAB1EF8D38F9A76515AD06B662674DF3610CBF2129EE9786EAC5DCA6A2ED028

HistoryJan 24, 2023 - 3:08 p.m.

Security Bulletin: Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-39140)

2023-01-2415:08:37

www.ibm.com

ibm tivoli netcool configuration manager

xstream

vulnerability

denial of service

cve-2021-39140

itncm 6.4.2

fix pack 17

6.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.018 Low

EPSS

Percentile

88.1%

JSON

Summary

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded.

Vulnerability Details

CVEID:CVE-2021-39140
**DESCRIPTION:**XStream is vulnerable to a denial of service, caused by an infinite loop flaw. By manipulating the processed input stream, a remote authenticated attacker could exploit this vulnerability to allocate 100% CPU time on the target system, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208110 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
ITNCM	6.4.2

Remediation/Fixes

Affected Product(s)	Version(s)	Remediation
ITNCM	6.4.2	Upgrade to ITNCM 6.4.2 Fix Pack 17 (6.4.2.17)

ITNCM 6.4.2 Fix Pack 17 can be downloaded from Fix Central: 6.4.2-TIV-ITNCM-FP017

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmtivoli_netcool_security_managerMatch6.4.2

CPENameOperatorVersion
tivoli netcool configuration managereq6.4.2

CPE	Name	Operator	Version
	tivoli netcool configuration manager	eq	6.4.2

6.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:N/I:N/A:C

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.018 Low

EPSS

Percentile

88.1%

JSON

Related for BFAB1EF8D38F9A76515AD06B662674DF3610CBF2129EE9786EAC5DCA6A2ED028