IBM API Connect has addressed the following vulnerability.
CVEID:CVE-2019-11038
**DESCRIPTION:*PHP could allow a remote attacker to obtain sensitive information, caused by an uninitialized read in the gdImageCreateFromXbm function. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/161866> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2019-11039
**DESCRIPTION:*PHP is vulnerable to a denial of service, caused by an out-of-bounds read in the _php_iconv_mime_decode function in iconv.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash or obtain sensitive information.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/161867> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2019-11040
**DESCRIPTION:*PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the php_jpg_get16 function. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/161868> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM API Connect versions
5.0.0.0-5.0.8.6 iFix 1
2018.1-2018.4.1.5
Affected Product | Addressed in VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM API Connect 5.0.0.0-5.0.8.6 iFix 1 | 5.0.8.6 iFix 2 | LI80958 |
Addressed in IBM API Connect V5.0.8.6 iFix 2 dated June 11, 2019.
Developer Portal is impacted.
Follow this link and find the APIConnect-Portal package.
http://www.ibm.com/support/fixcentral/swg/quickorder
IBM API Connect V2018.1 - 2018.4.1.5
|
2018.4.1.6
| LI80958 | |
Addressed in IBM API Connect v2018.4.1.6 and subsequent iFixes.
Developer Portal is impacted.
Follow this link and find the “portal” package appropriate for the form factor of your installation:
http://www.ibm.com/support/fixcentral/swg/quickorder
None