Security Bulletin: IBM Storage Protect Server is vulnerable to attacks due to Google guava (CVE-2020-8908, CVE-2018-10237)

Summary

Google guava is used by IBM Storage Protect and may be affected by these vulnerabilities.

Vulnerability Details

CVEID:CVE-2020-8908
**DESCRIPTION:**Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2018-10237
**DESCRIPTION:**Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/142508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Storage Protect Server| 8.1

Remediation/Fixes

IBM Storage Protect Server Affected Versions

| Fixing Level|Platform|Link to Fix and Instructions
—|—|—|—
8.1.0.000 - 8.1.18.xxx| 8.1.19| AIX, Linux, Windows| <https://www.ibm.com/support/pages/node/6988821&gt;

Workarounds and Mitigations

None