IBMDB10C5B1B170EE45C7096F79D2EEA33A564FF309B0B4E24AA964BF3F44313DDBSecurity Bulletin: Vulnerability found in pdfbox-1.8.1.jar which is shipped with IBM® Intelligent Operations Center(220742, CVE-2018-11797, CVE-2016-2175)
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
47.3%
Summary
Vulnerability have been identified in pdfbox-1.8.1.jar which is shipped with IBM® Intelligent Operations Center. Information about this vulnerability affecting IBM® Intelligent Operations Center have been published and addressed the applicable CVEs.
Vulnerability Details
CVEID:CVE-2018-11797
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by a flaw when parsing the page tree. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150898 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2016-2175
**DESCRIPTION:**Apache PDFBox could allow a remote authenticated attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/113548 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
**IBM X-Force ID:**220742
**DESCRIPTION:**Apache PDFBox could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission assignment. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220742 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Intelligent Operations Center (IOC) | 5.1.0, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.6, 5.2, 5.2.1, 5.2.2, 5.2.3 |
Remediation/Fixes
The recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical.
Download the IBM Intelligent Operations Center Version 5.2.4 is an upgrade to IBM Intelligent Operations Center Version 5.2.3 through IBM Intelligent Operations Center Version 5.2 from the following link:
IBM Intelligent Operations Center Version 5.2.4
Installation instructions for the fix are included in the readme document that is in the fix package.
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
47.3%