Lucene search

K
ibmIBME3869F4C02C08AC1155CA8A6E5BB7EC506A36415CBAD32ECC32204DE9005D1E1
HistoryFeb 22, 2019 - 5:15 a.m.

Security Bulletin: Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Explorer

2019-02-2205:15:02
www.ibm.com
6

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Summary

Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Explorer

Vulnerability Details

**CVE-ID:**CVE-2018-15756 Description: Pivotal Spring Framework is vulnerable to a denial of service, caused by improper handling of range request by the ResourceHttpRequestHandler. By adding a range header with a high number of ranges, a remote attacker could exploit this vulnerability to cause a denial of service condition.

CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/151641&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Spectrum LSF Explorer 10.2, 10.2.0.6, 10.2.0.7

Remediation/Fixes

<Product

|

VRMF

|

APAR

|

Remediation/First Fix

—|—|—|—

Spectrum LSF Explorer

|

10.2

|

None

|

See workaround

Spectrum LSF Explorer

|

10.2.0.6

|

None

|

See workaround

Spectrum LSF Explorer

|

10.2.0.7

|

None

|

See workaround

Workarounds and Mitigations

Spectrum LSF Explorer 10.2 & 10.2.0.6 & 10.2.0.7

  1. Download Spring Framework 4.3.22 from following link, https://repo.spring.io/release/org/springframework/spring/4.3.22.RELEASE/spring-framework-4.3.22.RELEASE-dist.zip
  2. Replace the downloaded files (spring-context-support-4.3.22.RELEASE.jar, spring-beans-4.3.22.RELEASE.jar, spring-context-4.3.22.RELEASE.jar, spring-expression-4.3.22.RELEASE.jar, spring-web-4.3.22.RELEASE.jar, spring-core-4.3.22.RELEASE.jar, spring-aop-4.3.22.RELEASE.jar, spring-context-support-4.3.22.RELEASE.jar, spring-jdbc-4.3.22.RELEASE.jar, spring-beans-4.3.22.RELEASE.jar, spring-context-4.3.22.RELEASE.jar, spring-expression-4.3.22.RELEASE.jar, spring-web-4.3.22.RELEASE.jar, spring-core-4.3.22.RELEASE.jar, spring-webmvc-4.3.22.RELEASE.jar, spring-aop-4.3.22.RELEASE.jar, spring-orm-4.3.22.RELEASE.jar, spring-tx-4.3.22.RELEASE.jar) into Application Center installed environment.
  3. How to find replace files location
    * Navigate to Spectrum LSF Explorer Server installed directory
    * run command ‘find . -name “spring4.3.2*.jar”’

CPENameOperatorVersion
ibm spectrum lsf explorereqany

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Related for E3869F4C02C08AC1155CA8A6E5BB7EC506A36415CBAD32ECC32204DE9005D1E1