Lucene search

K
ibmIBMF3376FD326CA93DE3AEBBA20B128F1D291C9965C2395C107A6A3B6628A782536
HistoryJun 02, 2022 - 1:24 p.m.

Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos

2022-06-0213:24:33
www.ibm.com
40

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.157 Low

EPSS

Percentile

95.9%

Summary

IBM has provided explicit mitigation for the following Kerberos CVEs. DataPower did not previously provide the conditions necessary to exploit these CVEs. The explicit mitigations provided here protect against possible future changes that might have made them exploitable.

Vulnerability Details

CVEID:CVE-2014-5352
**DESCRIPTION:**MIT krb5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a double-free error in gss_process_context_token(). An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/100842 for the current score.
CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVEID:CVE-2014-4344
**DESCRIPTION:**MIT Kerberos 5 (krb5) is vulnerable to a NULL pointer dereference in the acc_ctx_cont() function within the SPNEGO Acceptor for Continuation Tokens. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95210 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-2695
**DESCRIPTION:**MIT Kerberos is vulnerable to a denial of service, caused by a pointer type error in the GSS-API library. By sending a specially crafted gss_inquire_context() call on a partially-established SPNEGO context, a remote attacker could exploit this vulnerability to cause the process to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/107874 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway V10CD 10.0.2.0-10.0.3.0
IBM DataPower Gateway 10.0.1 10.0.1.0-10.0.1.4
IBM DataPower Gateway 2018.4.1.0-2018.4.1.17

Remediation/Fixes

Affected Product Fixed in Version APAR
IBM DataPower Gateway V10CD 10.0.4.0 IT37935
IBM DataPower Gateway 10.0.1 10.0.1.5 IT37935
IBM DataPOwer Gateway 2018.4.1 2018.4.1.18 IT37935

Workarounds and Mitigations

None

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.157 Low

EPSS

Percentile

95.9%