Lucene search

K
ibmIBMDFB4A9585ACCD058A33E7C0B787D6C7AD3CF5F7FAE137EEC5A2BC75C501CD55E
HistoryDec 16, 2020 - 8:03 a.m.

Security Bulletin: A vulnerability in JavaScript affects IBM License Metric Tool v9 (CVE-2020-8203).

2020-12-1608:03:38
www.ibm.com
25
ibm license metric tool
javascript
lodash
vulnerability
denial of service
prototype pollution
upgrade
fixlet
version 9.2.22

EPSS

0.017

Percentile

87.7%

Summary

There is a vulnerability in JavaScript library (Lodash) that is used by IBM License Metric Tool.

Vulnerability Details

CVEID:CVE-2020-8203
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM License Metric Tool All

Remediation/Fixes

Upgrade to version 9.2.22 or later using the following procedure:

In BigFix console, expand IBM License Reporting (ILMT) node under Sites node in the tree panel.
Click Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right.
In the Fixlets and Tasks panel locate Upgrade to the latest version of IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None