Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7. CVE-2019-9948 and CVE-2019-9947 are fixed in RHEL7 as part of Errata RHSA-2019:2030 (https://access.redhat.com/errata/RHSA-2019:2030). This update is included in Resilient 34.1.53, released on September 17, 2019, and subsequent versions.
CVEID:CVE-2019-9948
**DESCRIPTION:**Python could allow a remote attacker to bypass security restrictions, caused by improper input validation by the urllib. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass the blocklist file: URIs protection mechanisms.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2019-9947
**DESCRIPTION:**Python is vulnerable to HTTP header injection, caused by improper validation of input in urllib and urllib2. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Resilient | v33.x |
IBM Resilient | v34.0 |
CVE-2019-9948 and CVE-2019-9947 are fixed in RHEL7 as part of Errata RHSA-2019:2030 (<https://access.redhat.com/errata/RHSA-2019>:2030). This update is included in Resilient 34.1.53, released on September 17, 2019, and subsequent versions.
It can be installed by following the instructions in <https://www.ibm.com/support/knowledgecenter/SSBRUQ_34.0.0/com.ibm.resilient.doc/install/resilient_install_updates_sw.htm.>
The relevant package is python-2.7.5-86.el7.x86_64.rpm
None