Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)

Summary

There is a vulnerability in the Eclipse Paho library used by Liberty for Java for IBM Cloud with the rtcomm-1.0 or rtcommGateway-1.0 feature enabled. This has been addressed.

Vulnerability Details

CVEID:CVE-2019-11777
**DESCRIPTION:**Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167068 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

These vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.72.

Remediation/Fixes

To upgrade to Liberty for Java for IBM Cloud v3.73-20220816-0814 or higher, you must re-stage or re-push your application.

To find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c “cat staging_info.yml”

Look for similar lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-xxx, 3.73-20220816-0814, xxx, env)“,”start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None