Lucene search

K
ibmIBMF6058A1D059DA93442DDD2C9B24DC394470C4B3938532ADD3D520881A3F22AB0
HistoryApr 08, 2020 - 6:33 p.m.

Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7

2020-04-0818:33:24
www.ibm.com
28

EPSS

0.004

Percentile

72.8%

Summary

Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7. CVE-2019-9948 and CVE-2019-9947 are fixed in RHEL7 as part of Errata RHSA-2019:2030 (https://access.redhat.com/errata/RHSA-2019:2030). This update is included in Resilient 34.1.53, released on September 17, 2019, and subsequent versions.

Vulnerability Details

CVEID:CVE-2019-9948
**DESCRIPTION:**Python could allow a remote attacker to bypass security restrictions, caused by improper input validation by the urllib. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass the blocklist file: URIs protection mechanisms.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-9947
**DESCRIPTION:**Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Resilient v33.x
IBM Resilient v34.0

Remediation/Fixes

CVE-2019-9948 and CVE-2019-9947 are fixed in RHEL7 as part of Errata RHSA-2019:2030 (<https://access.redhat.com/errata/RHSA-2019&gt;:2030). This update is included in Resilient 34.1.53, released on September 17, 2019, and subsequent versions.

It can be installed by following the instructions in <https://www.ibm.com/support/knowledgecenter/SSBRUQ_34.0.0/com.ibm.resilient.doc/install/resilient_install_updates_sw.htm.&gt;

The relevant package is python-2.7.5-86.el7.x86_64.rpm

Workarounds and Mitigations

None